KR101723715B1 - Systems and methods for enterprise mission management of a computer network - Google Patents

Abstract

The present invention relates to a system (100) and method (1400) for enterprise mission management of a computer network ("CN"). The method includes configuring the CN to operate in accordance with a first mission plan ("MP") that specifies how the value assigned to the first identification parameter ("IDP") is dynamically modified by the first node of the CN ; Detecting a trigger event indicating whether a new MP needs to be executed within the CN; Obtaining a second MP specifying a manner in which the value assigned to the second IDP is dynamically modified by the second node of the CN; Determining whether an arbitrary conflict exists between the operation of the second node defined by the second MP and the operation of the first node defined by the first MP; And configuring the operation of the CN to further operate according to the second MP if it is determined that no conflicts exist.

Description

TECHNICAL FIELD [0001] The present invention relates to a system and a method for managing an enterprise mission of a computer network,

The arrangement of the present invention relates to computer network security, and more particularly to a system for communicating between two or more logical subdivisions of a computer network that is dynamically switchable to defend against malicious attacks.

Currently, the main vulnerability of cyber infrastructures is static. Assets accept permanent or infrequently changing identifications, allow virtually unlimited times for enemies to probe the network, map, and exploit vulnerabilities. Additionally, data coming and going between these fixed entities can be captured and attributes. Current approaches to cybersecurity use encryption to secure data such as firewalls and intrusion detection systems around fixed assets and to protect data on the way. However, this traditional approach is fundamentally flawed because it provides the attacker with fixed goals. In today's globally connected communications infrastructure, a static network is a weak network.

The Defense Advanced Research Projects Agency ("DARPA") Information Assurance ("IA") program conducted initial research in the area of dynamic network defense. Technique was developed in accordance with an IA program that dynamically reallocates Internet Protocol ("IP ") address space that feeds pre-specified network aggregates for the purpose of confusing any future observers of the network. This technique is called dynamic network address translation ("DYNAT"). The outline of the DYNAT technology is presented in a paper by DARPA entitled "Dynamic Approach to the Intelligence of the Enemies" published in 2001.

It is an object of the present invention to provide a system and method for enterprise mission management of a computer network in which node operations are dynamically configurable.

An embodiment of the present invention relates to a system and method for enterprise mission management of a computer network in which node operations are dynamically configurable. The invention comprises configuring a computer network operating according to at least one first mission plan. The first mission plan specifies how the assigned value for at least one first identification parameter ("IDP") is dynamically modified by at least one first node of the computer network. Then, the first trigger event is detected in the computer network indicating that the new mission plan needs to be executed within the computer network. The first trigger event may be detected based on the content of a packet delivered within the computer network, the congestion of the computer network, the state of the computer network, user activity within the computer network, and / or malicious attacks on the computer network.

In response to the trigger event, a second mission plan is obtained. The second mission plan specifies how the value assigned to at least one second IDP is dynamically modified by at least one second node of the computer network. In some scenarios, the second mission plan selects a mission plan from a plurality of pre-stored mission plans based on the results of analyzing the requirements of the new mission and the operational aspects of the computer network; Automatically generate a mission plan based on the results of analyzing the requirements of the new mission and the operational aspects of the computer network; or the relationship between the concept of operation on the mission, the architecture of the computer network, and the resources of the computer network , And an efficiency class associated with a plurality of IDPs.

Next, a determination is made as to whether there is any conflict between the operation of the second node defined by the second mission plan and the operation of the first node defined by the first mission plan. If it is determined that no conflicts exist between the operations of the first and second nodes as defined by the first and second mission plans, then the operation of the computer network is configured to further operate according to the second mission plan. Conversely, if it is determined that a conflict exists between the operations of the first and second nodes as defined by the first and second mission plans, then the second mission plan is modified to obtain the third mission plan. A determination is then made whether an arbitrary conflict exists between the operation of the third node defined by the third mission plan and the operation of the first node defined by the first mission plan. If it is determined that a collision exists between the operations of the first and third nodes as defined by the first and third mission plans, then the operation of the computer network is configured to operate in accordance with the third mission plan.

In some scenarios, the method may also include determining whether the computer network should continue to operate in accordance with the active first or second mission plan. If it is determined that the computer network should not continue to operate in accordance with the active first or second mission plan, then the operation may include reconfiguring the computer network as the computer network is no longer operating in accordance with the first or second mission plan; And / or to reconfigure the computer network to operate in accordance with the third mission plan instead of the first or second mission plan.

The present invention provides a system for communicating between two or more logical subdivisions of a computer network security, and more specifically, a computer network that is dynamically switchable to defend against malicious attacks.

BRIEF DESCRIPTION OF THE DRAWINGS Embodiments will be described with reference to the following drawings, wherein like reference numerals designate like elements throughout the views, wherein:
Figure 1 is an embodiment of a computer network useful for understanding the present invention.
Figure 2 is an embodiment of a module that may be used in the present invention to perform certain operations of an IDP.
Figure 3 is a flow diagram of an exemplary process for manually generating a mission plan.
Figure 4 is a diagram useful in understanding the tool that can be used to help characterize the network in Figure 1;
FIG. 5 is an embodiment of a graphical user interface ("GUI") that can be used to select dynamic settings for a module in FIG.
FIG. 6 is an embodiment of a GUI that can be used to select a sequence of active and bypass states associated with each module in FIG.
Figure 7 is a flow diagram of an exemplary process for automatically and dynamically generating a mission plan.
Figure 8 is an exemplary process for identifying and resolving mission plan conflicts.
Figure 9 is a diagram useful for understanding how a mission plan can be delivered to multiple modules in the network in Figure 1.
10 is a schematic illustration of an exemplary GUI that can be used to select a mission plan from a plurality of mission plans as shown in FIG. 9 and that can be used to communicate a selected mission plan to a module.
Figure 11 is a flow chart useful for understanding the operation of the module in Figure 1;
Figure 12 is a schematic illustration useful for understanding the overall enterprise behavior of a computer network.
Figure 13 is a schematic view useful for understanding enterprise mission management.
Figure 14 is a flow diagram of an exemplary method for enterprise mission management of a dynamic computer network.
15 is a block diagram of a computer architecture that may be used to execute modules in FIG.
16 is a block diagram of a computer architecture that may be used to execute the network management computer ("NAC") shown in FIG.
Figure 17 is an embodiment of a computer network useful for understanding the present invention.
18 is a flowchart useful in understanding the operation of the switch in Fig.
19 is a flowchart useful for understanding the operation of the switch in Fig.
Figure 20 is an embodiment of a switch that can be used to implement a method for routing data packets in accordance with the present invention.
Figure 21 is a table useful for understanding some of the types of IDPs that can be modified.

The invention is described with reference to the accompanying drawings. The drawings are not drawn to scale and they are provided only to illustrate the invention in an instant. Various aspects of the invention are described below with reference to exemplary applications for illustration. It is to be understood that a number of specific details, relationships, and methods are presented to provide a thorough understanding of the present invention. However, those skilled in the art will readily appreciate that the present invention may be practiced without one or more of the specific details, or in other ways. In other embodiments, well-known structures or acts are not specifically shown to avoid obscuring the present invention. The present invention is not limited by the illustrated order of operations or events, as some operations may occur in different orders and / or concurrently with other operations or events. Also, not all illustrated acts or events are required to practice the methodology in accordance with the present invention.

It is also to be appreciated that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a", "an" and "the" are intended to include the plural, unless the context clearly dictates otherwise. It should also be understood that the terms " including, "" includes," " having ", "having "," with ", or variations thereof, As used in the claims, such term is intended to be included in a manner similar to the term " comprising ".

Also, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It is to be understood that such commonly used predefined terms such as these may be construed as having a meaning consistent with the meaning in the context of the relevant art and are not to be interpreted in idealized or overly formal terms It can be understood more.

discrimination Agile  Computer network

Referring now to FIG. 1, a diagram of an exemplary computer network 100 including a plurality of computing devices is shown. The computing device may include client computers 101-103, NAC 104, servers 111 and 112, network layer 2 switches 108 and 109, layer 3 switch 110, and bridge 115 . The client computers 101-103 may be any type of computing device that may require network services, such as conventional tablet, notebook, laptop or desktop computers. Layer 3 switch 110 may be a conventional routing device that routes data packets between computer networks. Layer 2 switches 108 and 109 are conventional hub devices (e. G., Ethernet hubs) as are known in the art. Servers 111 and 112 may provide various computing services used by client computers 101-103. For example, the server 111, 112 may be a file server that provides a location for shared storage of computer files used by the client computers 101-103.

The communication media for the computer network 100 may be wired, wireless, or both, but may be described herein as a wired network for the sake of simplicity and to avoid obscuring the present invention. The network will communicate data using a communication protocol. As is known in the art, communication protocols define the formats and rules used to communicate data over a network. In FIG. 1, the computer network 100 may use any communication protocol or combination of protocols that are currently known or will be known in the future. For example, the computer network 100 may use a known Ethernet protocol suitable for such communications. Alternatively, the computer network 100 may include a protocol of the Internet Protocol Suite (often referred to as a Transmission Control Protocol / Internet Protocol ("TCP / IP") suite), a Synchronous Optical Network / Synchronous Digital Hierarchy ) Based protocols, or asynchronous transfer mode ("ATM") communication protocols. In some embodiments, one or more of these communication protocols may be used in combination. Although one network topology is shown in FIG. 1, the present invention is not limited in this respect. Instead, any type of suitable network topology may be used, such as a bus network, a star network, a ring network, or a mesh network.

The present invention generally relates to a method for communicating data in a computer network (e.g., in computer network 100) in which data is transferred from a first computing device to a second computing device. Computing devices within a network are represented by multiple IDPs. As used herein, the phrase "identification parameter or IDP" may include items such as an IP address, a media access control ("MAC") address, a port number, However, the invention is not limited in this respect, and the IDP may also include various other information useful for characterizing the network node. The various types of IDP considered here are discussed in more detail below. In some scenarios, the IDP includes these parameters included in the header and / or tailor part of the data packet and does not include those contained in the payload part of the data packet. Still, the embodiment is not limited to the details of such scenarios.

The arrangement of the present invention includes the use of a mobile target technology ("MTT") for manipulating one or more of such IDPs for one or more computing devices within the computer network 100. This technique masquerades the communication pattern and network address of such a computing device. The operation of the IDP as described herein may be used in connection with data communication in the computer network 100, that is, when data is transmitted from a first computer (e.g., client computer 101) (E.g., computer 102). Thus, the IDP that is manipulated may include those of the source computing device (i.e., the device from which the data was generated) and the destination computing device (i.e., the device from which the data is to be sent). The set of IDPs communicated is referred to herein as the IDP set. This concept is illustrated in FIG. 1, which illustrates that IDP set 120 is transmitted by client computer 101 as part of a data packet (not shown).

The process according to the present invention includes selectively modifying values contained in a data packet or datagram that specify one or more identification parameters of a source computing device and / or a destination computing device at a first location within the computer network 100 do. The IDP is modified according to the mission plan. The location at which such modification is performed will generally coincide with the location of one module 105-107, 113, 114 of the computer network 100. Referring again to FIG. 1, it can be observed that modules 105-107, 113 and 114 are interposed in a computer network 100 between various computing devices including nodes in such networks. At these locations, the modules 105-107, 113 and 114 intercept data packet communications perform the necessary operations of the IDP and retransmit the data packets along the transmission path. In an alternative embodiment, modules 105-107, 113, and 114 may perform similar functions, but may be integrated directly into one or more of the computing devices. For example, the module may be integrated into the client computers 101, 102 and 103, the servers 111 and 112, the layer 2 switches 108 and 109 and / or the layer 3 switch 110.

Additionally, the computer network 100 may be divided into a number of logical subdivisions, sometimes referred to as subnetworks or subnets, connected through a Layer 3 switch 110. The enterprise network can hide the topology of the network from what it can see on the external host, connect the network using other network protocols, manage the network addressing scheme on the subnet level separately, and manage data traffic across the subnet , And the like, but may be subdivided into multiple subnets for various administrative or technical reasons, including but not limited to these. The subnetting is well known in the art and will not be described in further detail.

Referring again to FIG. 1, the computer network 100 is divided into two logical networks: a first logical network 130 and a second logical network 132. As used herein, the phrase "logical network" refers to any logical subdivision of a computer network. In an embodiment, the logical networks 130 and 132 are connected via a layer 3 switch 110. Layer 3 switch 110 is responsible for directing traffic between logical networks, i.e., from client computer 101 to client computer 103. The Layer 3 switch 110 is also responsible for directing traffic from any host connected to the computer network 100 coupled to the second network 124. In the embodiment shown in FIG. 1, traffic routed from the computer network 100 to the second network 124 passes through the bridge 115. For the above modules, the functionality of bridge 115 may be integrated within layer 3 switch 110.

An embodiment of a functional block diagram of module 105 is shown in Fig. It should be understood that modules 106, 107, 113 and 114 of FIG. 1 may have functional block diagrams similar to those shown in FIG. 2, but the invention is not limited in this respect. As shown in FIG. 2, the module 105 has at least two data ports 201, 202, each of which can correspond to a respective network interface device 204, 205. The data received at the data port 201 is processed at the network interface device 204 and temporarily stored in the input buffer 210. [ The processor 215 accesses the input data packets contained in the input buffer 210 and performs any necessary operations of the IDP as described herein. The modified data packet is passed to the output buffer 212 and then transmitted from the data port 202 using the network interface device 205. Similarly, data received at the data port 202 is processed at the network interface device 205 and temporarily stored in the input buffer 208. The processor 215 accesses the input data packets contained in the input buffer 208 and performs any necessary operations of the IDP as described herein. The modified data packet is passed to the output buffer 206 and then transmitted from the data port 201 using the network interface device 204. In module 105, the operation of the IDP is performed by the processor 215 in accordance with the mission plan 220 stored in the memory 218.

It will be understood from FIG. 2 that module 105 is preferably configured to operate in both directions. In such an embodiment, the module 105 may perform other modification functions depending on the source of the particular data packet. The dynamic modification function in module 105 may be specified in the mission plan depending on the source computing device of the particular data packet. Module 105 may determine the source of the data packet by any suitable means. For example, the source address of a data packet may be used for this purpose.

During operation, the processor 215 will determine one or more false IDP values to be used in place of the true IDP value. Processor 215 will convert one or more true IDP values to one or more false IDP values that are preferably specified by a pseudo-random function. Following this transformation, the module 105 will send the modified packet or datagram along the transmission path to the next node in the computer network 100. At a subsequent point in the communication path, a small computer monitoring such network communication will find false or inaccurate information regarding the identification of a computing device communicating on the network 100.

The IDP value will have a predetermined format defined by the communication protocol. For example, the IP address and the MAC address will each have a known predetermined format. A false IDP value may have the same format as a true IDP, since it is desirable that an attacker can not identify a true IDP from a false IDP. In other words, a fake IDP can have both exact features and formatting that are typically specified for that type of IDP when using a particular network communication protocol. For purposes of the present invention, it is expected that the IDP can be explicitly transmitted (i.e., the information will not be encrypted). By maintaining the correct format for both the true and false IDPs contained in the transmitted data packet, the system ensures that the observer of network traffic can not effectively determine whether the transmitted IDP value is actually TRUE or FALSE .

In some scenarios, a false IDP specified by a pseudo-random function changes in response to the occurrence of one or more reactive trigger events. The reactive trigger event causes the processor 215 to use a pseudo-random function to generate a new set of false IDP values for which a true IDP is to be converted. Therefore, the reactive trigger event serves as the basis for the dynamic change of the false IDP described here. Reactive trigger events are discussed in more detail below. It should be noted, however, that a reactive trigger event for selecting a new set of false values for an IDP may be based on at least one predefined rule. The rule includes a sentence that defines at least one reactive trigger event. At this point, the user rules may implement a packet inspection based scheme, a congestion based scheme, a heuristic algorithm based scheme, and / or a network based attack ("NBA") analysis based scheme. Each of the listed schemes will be described in detail below.

The conversion of the IDP described above provides one way to switch the computer network 100 for the purpose of preventing cyber attacks. In some scenarios, the mission plan 220 executed by the processor 215 will also control certain other aspects of the manner in which the computer network 100 can switch. For example, the mission plan 220 may specify that the dynamic selection of the IDP is to be manipulated. The dynamic selection may include the selection of which IDP is selected for modification and / or the number of such IDPs to be selected. This variant selection process provides additional unspecificity or variability characteristics that can be used to further block the enemy's effort to penetrate or acquire computer network 100. [ As an example of this technique, consider that during a first time period, the module 105 may modify the destination IP address and the destination MAC address of each data packet. During the second time period, the module 105 may manipulate the source IP address and the source host name in each data packet. During a third period of time, the module 105 may manipulate the source port number and the source user name. Changes in the selection of IDPs can occur simultaneously (i.e., all selected IDPs change simultaneously). Alternatively, changes in the selection of the IDP may occur asynchronously (i.e., the group of selected IDPs gradually changes as individual IDPs are added or removed from the selected group of IDPs).

The pseudo-random function is preferably used to determine the choice of identification value to be manipulated or converted to a false value. In other words, the module 105 will only convert the IDPs selected by the pseudo-random function. In some scenarios, the selection of the IDP specified by the pseudo-random function changes with the occurrence of the reactive trigger event. The reactive trigger event causes the processor 215 to use a pseudo-random function to generate a new selection of the IDP to be converted to a false IDP. Thus, the reactive trigger event serves as the basis for the dynamic change of selection of the IDP described herein. In particular, the value of the IDP may also be varied according to a pseudo-random algorithm.

The module 105 may also advantageously provide a third method of switching the computer network for the purpose of preventing cyber attacks. Specifically, the mission plan 220 loaded into the module 105 can dynamically change the location in the network where modification or translation of the IDP can occur. Consider that a modification of the IDP may occur in the module 105 in the IDP set 120 sent from the client computer 101 to the client computer 102. [ This condition is shown in FIG. 1 where the IDPs contained in the IDP set 120 are manipulated in the module 105 such that the IDP set 120 is transformed into a new or modified IDP set 122. At least a portion of the IDP in the IDP set 122 is different from the IDP in the IDP set 120. [ However, the location at which such conversion occurs is also preferably controlled by the mission plan. Thus, manipulation of the IDP set 120 may occasionally occur in modules 113 and 114 of FIG. 1 instead of, for example, module 105. FIG. This ability to selectively change the location at which the operation of the IDP occurs adds more importance to the ability of the computer network 100 to switch.

A dynamic change in the position at which the IDP is modified is facilitated by selectively controlling the operating state of each module 105-107, 113, 114 of FIG. For that purpose, the operational state of each module 105-107, 113, 114 of FIG. 1 is preferably (1) an active state in which data is processed according to the current mission plan, and (2) It includes a bypass state where packets can flow through the module as if it had not. The location at which the dynamic modification is performed is optionally controlled by having a particular module of the computer network 100 in an active state and having a particular module of the computer network 100 in a standby state. The location can be changed dynamically by dynamically changing the current state of the modules 105-107, 113, 114 in an adjusted manner.

The mission plan 220 may include a predetermined sequence for determining the location within the computer network 100 where the IDP is to be operated. The location at which the IDP is manipulated will sometimes change along a predetermined sequence indicated by a reactive trigger event. For example, a reactive trigger event may cause a transition to a new location for manipulation or translation of an IDP as described herein. Thus, a reactive trigger event acts as a basis for the occurrence of a change in the location at which the IDP is modified, and the predetermined sequence determines where the new location will be.

From the foregoing, it will be appreciated that the data packet is modified in modules 105-107, 113, 114 of FIG. 1 to include a false IDP. At some point within the computer network 100, it is necessary to restore the IDP to a true value, so that the IDP can be used to properly perform the intended function according to the particular network protocol. Thus, the arrangement of the present invention also includes dynamically modifying the value assigned for the IDP according to the mission plan 220 in the second location (i.e., the second module). The modification at the second location essentially includes the inverse of the process used at the first location to modify the IDP. Thus, in the second position, the module can recover or convert the false value IDP back to their true value. To accomplish this, the module at the second location must be able to determine at least (1) the selection of the IDP value to be transformed and (2) the correct conversion of the selected IDP to a true value from a false value. In effect, this process includes the inverse of the pseudorandom process or processes used to determine the IDP selection and the changes that have affected such IDP. 1, where the IDP set 122 is received at the module 106 and the IDP value in the IDP set 122 is converted or manipulated back to its original or true value. In this scenario, the module 106 converts the IDP value back to that of the IDP set 120.

In particular, a module must have some way of determining the appropriate conversion or manipulation to apply to each data communication it receives. In some scenarios, this determination is performed by reviewing at least the source address IDP included in the received data communication. For example, the source address IDP may include the IP address of the source computing device. Once true identification of the source computing device is known, the module refers to the mission plan (or information derived from the mission plan) to determine what action needs to be taken. For example, these actions may include converting a particular true IDP value to a false IDP value. Alternatively, this change may include converting the false IDP value back to a true IDP value.

In particular, there will be an example in which the source address IDP information included in the received data communication is changed to a false value. In such an environment, the module receiving the data communication will not be able to immediately determine the identity of the source of the data communication. However, the module that received the communication may still be able to identify the source computing device in such an example. This is accomplished in the receiving module by comparing a false source address IDP value with a look-up-table ("LUT") listing all such false source address IDP values in use for a particular time. The LUT also contains a list of true source address IDP values corresponding to false source address values. The LUT may be provided directly by the mission plan 220 or may be generated by information included in the mission plan 220. In either case, the identification of the true source address IDP value can be easily determined from the LUT. Once the true source address IDP is determined, the module that has received the data communication at that time can use this information to determine what operation is required on the IDP (based on the mission plan).

In particular, the mission plan 220 may also specify a change in the second location where the IDP is restored to a true value. For example, it is assumed that the IDP is dynamically modified at a first location that includes the module 105. The mission plan may specify that recovery of the IDP to a true value occurs in module 106 as described, but instead may alternatively specify that a dynamic modification occurs in module 113, 114 . In some embodiments, the location at which such an operation occurs is dynamically determined by the mission plan in accordance with a predefined sequence. The predefined sequence may determine the position or sequence of modules where the manipulation of the IDP occurs.

Transitions involving dynamic modification at other locations preferably occur in response to a reactive trigger event. Thus, the predefined sequence determines the pattern or sequence of locations where data manipulation occurs, and the reactive trigger event serves as a basis for causing transitions from one location to the next. Reactive trigger events are discussed in more detail below; It should be noted that the reactive trigger event may be based on at least one predefined rule. The rule includes a sentence that defines at least one reactive trigger event. At this point, the user rules may execute packet inspection based schemes, congestion based schemes, heuristic algorithm based schemes and / or NBA analysis based schemes. Each of the listed schemes will be described in detail below. Control over the selection of the second position (i.e., where the IDP returns to a true value) can be effected in the same manner as described above with respect to the first position. Specifically, the operating state of the two or more modules may be toggled between the active state and the bypass state. Operation of the IDP will only occur in modules with active operating states. A module with a bypass operating state will simply pass the data packet without modification.

Alternative methods can also be used to control where the manipulation of the IDP occurs. For example, a network administrator can define several possible modules in a mission plan where IDP can be converted from a true value to a false value. At the occurrence of a reactive trigger event, the new position can be selected from among the various modules by using a pseudo-random function and using the trigger time as the seed value for the pseudo-random function. If each module executes the same pseudorandom function using the same initial seed value, then each module will calculate the same pseudorandom value. The trigger time can be determined based on clock time, such as GPS time or system clock time. In this way, each module can independently determine whether it is the active location where the operation of the current IDP should occur. Similarly, a network administrator can define several possible modules in a mission plan where dynamic operations return the IDP to a true or true value. The choice of which module is used for this purpose can also be determined according to the trigger time and the pseudo-random function, as described herein. Other ways to determine the location or module where an IDP operation will occur are also possible. Accordingly, the present invention is not intended to be limited to the specific methods described herein.

In particular, changing the location of the first and / or second location where the identification function is operated will often result in changing the physical distance between the first and second locations along the network communication path. The distance between the first and second positions is referred to herein as a distance vector. The distance vector may be an actual physical distance along the communication path between the first and second locations. However, it is useful to think of the distance vector as it indicates the number of network nodes that are in the communication path between the first and second locations. It will be appreciated that dynamically selecting different locations for the first and second locations in the network may have the effect of changing the number of nodes between the first and second locations. For example, in FIG. 1, a dynamic modification of the IDP is performed on a selected one of the modules 105, 106, 107, 113, 114. The modules actually used to execute each of the dynamic modifications are determined as described above. If the module 105 is used to convert the IDP to a false value and the module 106 is used to convert them back to true values then there are then three network nodes 108,101 and 109 between the modules 105,106. However, if module 113 is used to convert to a false value and module 114 is used to convert IDP back to true, then there is only one network node 110 between modules 113 and 114. Thus, it can be appreciated that dynamically changing the position of the location where dynamic correction occurs can dynamically change the distance vector. In some scenarios, the distance vector has a variable value that changes the mission plan specified according to the overall network behavior. This variation of the distance vector provides a variability characteristic added to the network transition or modification as described herein.

In the present invention, the manipulation of the IDP value, the selection of the IDP, and the position at which these IDPs are defined are respectively defined as the switching parameters. Every time a change occurs in one of these three switching parameters, it can be said that a network switchover has occurred. At any time, if one of these three switching parameters is changed, it can be said that a network switchover has occurred. In order to most effectively hinder the enemy's efforts to penetrate the computer network 100, the network transition is preferably controlled by a pseudo-random process as described above. Those skilled in the art will appreciate that the chaos process may also be used to perform this function. Although the chaos process is technically different from the pseudo-random function, for the purposes of the present invention, either can be used, and the two are considered to be the same. In some embodiments, the same pseudo-random process may be used to dynamically change two or more of the conversion parameters. However, in some scenarios, two or more different pseudorandom processes are used such that two or more of these transition parameters are modified independently of the others.

Reactive trigger  event

As mentioned above, the dynamic change for each of the switching parameters is controlled by at least one reactive trigger. A reactive trigger is a purely spontaneous or user-initiated event that causes a change to occur in connection with the dynamic modification described herein. In other words, it can be mentioned that the reactive trigger causes the network to switch to a different way from the previous time (that is, before the occurrence of the reactive trigger). For example, during the first period of time, the mission plan or security model may cause the IP address to change from value A to value B, but instead, after a reactive trigger event, the IP address may change from value A to value C . Similarly, during the first period of time, the mission plan or security model may cause the IP address and MAC address to be modified; Instead, after a reactive trigger event, the mission plan or security model may cause the MAC address and user name to be modified.

In its simplest form, the reactive trigger may be based on a packet inspection based scheme, a congestion based scheme, a heuristic algorithm based scheme, and / or an NBA analysis based scheme. The packet inspection based scheme may include analyzing the packet to obtain the origin of the packet, the destination of the packet, the origin or group to which the destination device belongs, and / or an identifier that identifies the type of payload included in the packet. The packet inspection based scheme may also include analyzing the packet to determine whether the code word is contained within or out of it. Techniques for obtaining such packet inspection are known in the art. Any such technique that is currently known or will be known in the future can be used with the present invention without limitation. In some embodiments, a reactive trigger event occurs when the value of the identifier matches a predefined value.

In a packet inspection scenario, the inclusion of a particular type of content in a packet serves as a trigger or as a parameter to select a timing scheme on which the trigger is based. For example, a trigger event may be defined as occurring when (a) a particular person of an entity (eg, a military commander) transmits information to other members of an entity, and / or (b) . Alternatively or additionally, the trigger event may be defined as occurring at the expiration of every N second time intervals as defined by the timing scheme selected according to the particular packet inspection application, where N is an integer. In this regard, in some embodiments, a first timing scheme may be used when (a) the first person of the entity (e.g., the commander of the army) requests a communication session with another member of the entity, or (b) It can be understood that it can be selected when it exists. The second different timing scheme may be selected when (a) a second person of the entity (e.g., an army major) requests a communication session with another member of the entity, or (b) the second code word is present in the packet, . The embodiments of the present invention are not limited to the details of the embodiments provided above. In this regard, it can be appreciated that other contents contained in the packet may define the trigger event. For example, if the payload of a packet contains sensitive or confidential information, then a new mission plan or security model may be selected according to the level of sensitivity or confidentiality of the referred to information.

In such a time-based trigger arrangement, one or more of the switching parameters may change every N (e.g., 60) seconds in accordance with a predefined clock time. In some embodiments, all of the switching parameters may be changed at the same time so that the changes are synchronized. In a more complex embodiment, a time-based trigger arrangement may also be used, but other unique trigger time intervals may be selected for each switching parameter. Thus, the false IDP value can be changed in time interval X, the choice of IDP can vary in time interval Y, and the position at which such a change is performed can occur in time interval Z, where X, Y, and Z are It is a different value.

In an embodiment of the invention that relies on clock time as a trigger mechanism, synchronization (as between clocks) in various modules 105, 106, 107, 113, 114 to ensure that packets are not lost or dropped due to unrecognized IDP Lt; RTI ID = 0.0 > a < / RTI > The synchronization method is well known and any suitable synchronization mechanism may be used for this purpose. For example, a module may be synchronized by using a very precise time reference, such as a GPS clock time. Alternatively, a unique wireless synchronization signal may be broadcast to each module from the central control facility.

Congestion-based schemes include: monitoring and tracking congestion within a computer network; Compares current congestion and threshold; And selecting a mission plan or security model from the plurality of mission plans / models based on the result of the comparison. In some scenarios, a new mission plan or security model is selected when the current congestion is equal to, greater than, or less than the threshold. In this way, changes to the mission plan or security model occur at an apparently irregular time interval based on changes in congestion within the computer network.

The heuristic algorithm-based scheme may include analyzing the network to determine the state. Such network analysis may include monitoring an entropy pattern of the network (i.e., someone communicating with someone) at a particular time of day, a traffic pattern (e.g., the number of users), a protocol pattern, and / The traffic pattern can be determined by gathering information about the number of connections existing from network device use (e.g., processor usage) and network devices (e.g., network servers). The collected information may be compared against the contents of a predefined table or matrix to identify which of a plurality of possible traffic patterns are currently present in the computer network. Based on at least the results of such comparison operations, a new mission plan or security model may be selected from a plurality of mission plans and / or security models for use in a computer network.

In some heuristic scenarios, the mission plan and / or the security model may be configured such that a constant, high level of traffic is maintained in the computer network, despite changes in the amount of actual traffic therein. A certain high level of traffic is maintained by adjusting (i.e., increasing or decreasing) the noise level of the network depending on the amount of actual traffic therein. As a result, at any given time, the amount of actual traffic and the type of traffic pattern are obscured.

The protocol pattern may be determined by gathering information about user activity related to network resources. Such information may include at least one of a history of user activity with respect to at least one user of the computer network, a time at which user activity begins, a time at which user activity ceases, a time at which user activity has elapsed, But are not limited to, information identifying user activity that has occurred. The collected information may be analyzed to determine whether a particular protocol pattern currently exists. If it is determined that a particular protocol pattern currently exists, then a new mission plan or security model may be selected from multiple mission plans / models for use in the computer network. In this way, changes in the mission plan or security model occur at an apparently irregular time interval based on changes in protocol patterns (more specifically, changes in user activity).

The entropy pattern can be determined by gathering information about who is communicating with each other through a computer network. Based on the collected information, a new mission plan or security model is selected from multiple mission plans / models for use in the computer network. In such a scenario, a change in the mission plan or security model occurs at an apparently irregular time interval based on changes in the organizations participating in the communication session.

The NBA analysis is performed for the purpose of determining the level of the NBA, the type of NBA, and / or the number of NBA attacks on the current computer network. Such NBA analysis is well known in the art, and therefore will not be described here. Such an NBA analysis may also include: monitoring and tracking attack events within a computer network; And performing LUT operations for purposes of determining the level of NBA attacks and / or the type of NBA attacks. Any NBA analytical technique that is currently known or will be known in the future can be used with the present invention without limitation. Once the NBA analysis is complete, a new mission plan or security model can be selected from multiple mission plans / models for use in the computer network based on the results of the NBA analysis. For example, if the NBA is a low level NBA and / or determined to be of a first type, then the first mission plan or security model is selected from a plurality of mission plans or security models. Conversely, if the NBA is determined to be a high level NBA and / or a second type, then a second different mission plan or security model is selected from the plurality of mission plans or security models. In such a scenario, the mission plan or security model change occurs at an apparently irregular time interval based on changes in the level of NBA attacks and / or types of NBA attacks. Additionally or alternatively, a new mission plan or security model may be selected when two or more NBA attacks of the same or different level and / or type are currently applied to the computer network. In such a scenario, a mission plan or security model change occurs at an apparently irregular time interval based on changes in the number of attacks currently being performed.

In an embodiment of the invention, the NBA may be identified by a suite of network security software. Alternatively, the NBA may be identified upon receipt of a data packet in a module (105, 106, 107, 113, 114) in which the packet includes one or more IDPs that are inconsistent with the current state of the network transition. Regardless of the basis for identifying an NBA, the presence of such an NBA may serve as a reactive trigger event, as described above.

A reactive trigger event based on the schemes described above may cause the same type of network transition. For example, the location of the false IDP, the selection of the IDP, and the location of the IDP conversion can be maintained stably (i.e., unchanged), except when one or more of the following are detected: a packet with a particular origin or destination; Code words included in the packet; Confidential or confidential information contained in the packet; Specific congestion; Specific traffic patterns; Specific protocol patterns; Specific entropy pattern; Certain levels and / or types of NBA; And the specific number of NBAs currently on the computer network. Such an arrangement may be chosen, for example, in a computer network where frequent network switching is not required to increase security.

Alternatively, based on the scheme described above, a reactive trigger event may cause another type of network transition. In such an embodiment, based on the results of the NBA analysis, the trigger event may have a different effect on the network transition than the trigger event based on the results of the packet inspection and / or heuristic algorithm. For example, NBA-based triggering events can cause strategic or aggressive changes in network conversions to respond more aggressively to those NBAs. The precision of such a measurement depends on the nature of the threat, but may include a variety of responses. For example, other pseudorandom algorithms may be selected and / or the number of IDPs selected for operation in each IDP set 120 may be increased. The response may also include increasing the frequency of network switching. Thus, more frequent changes can be made to (1) a false IDP value, (2) the selection of the IDP to be changed in each IDP set, and / or (3) . Thus, the network transition described herein provides a method for changing the mission plan or security model in a purely voluntary manner based on various factors, thereby increasing security.

mission  flan

The network transition described here is controlled according to the mission plan. A mission plan is a concept that defines and controls the mobility within the context of a network and at least one security model. As such, the mission plan can be represented as a data file communicated from the NAC 104 of FIG. 1 to each module 105-107, 113-114. The mission plan is then used by each module to control the operation of the IDP and to coordinate activities with the operation of other modules in the network.

In some scenarios, the mission plan includes, but is not limited to, the following source-side information: device identification information; IDP identification information about these IDPs which should have a true value changed to a false value; True IDP value; A set of false IDP values (e.g., FV ₁ , FV ₂ , ..., FV _X ); Timing information specifying when to use each of the false values of the set of false IDP values; A pseudo-random or chaotic function for dynamically generating a new false value for a set of false IDP values; A rule specifying when to call a pseudo-random or chaotic function to generate a new value for a set of false IDP values; A rule specifying when an IDP dynamically selects whether to have a true value changed to a false value; A rule specifying the number of IDPs to be selected and which IDP should be selected for value modification; A rule specifying whether the IDP is to be changed at the same time (i. E., All selected IDPs are changed at the same time) or non-simultaneously (i. E., The group of IDPs gradually changes as individual IDPs are added or removed from the selected group of IDPs); And a rule for dynamically changing the location in the computer network where the modification or conversion of the IDP occurs. The mission plan may also include the following destination-side information: a first rule for restoring the false value of the IDP to a true value; And a second rule for dynamically changing a location in the computer network where modification or recovery of the IDP value occurs. The first rule may include rules for determining the selection of at least one of the IDP values to be transformed and / or rules for correct conversion (e.g., using at least one LUT) of the selected IDP from a false value to a true value However, it is not limited to them. Embodiments of the present invention are not limited in this respect. Source side and destination side information may alternatively be included in at least two separate mission plans.

Mission plans can sometimes be modified manually by the network administrator and / or automatically by the NCSA to update or change the way the network switches to interfere with potential enemies. As such, the mission plan can provide the network administrator and / or the NCSA with a means for complete control over the time, place, and manner in which the network transition occurs within the network. Such an update capability allows the network administrator and / or NCSA to adapt the behavior of the computer network to the current operating conditions and to more effectively interfere with the enemy's efforts to penetrate the network.

The multi-mission plan can be manually defined by the user and / or automatically generated by the NCSA. The mission plan can then be stored so that they are accessible to modules within the network. For example, a multi-mission plan may be stored in the NAC 104 and delivered to the module as needed. Alternatively, a plurality of mission plans may be stored on each module and activated as needed or required to maintain security of the network. For example, if the network administrator and / or NCSA determines or suspects that the enemy has discovered the current mission plan for the network, the administrator and / or NCSA may want to change the mission plan. Effective security procedures can also indicate that the mission plan changes periodically.

mission  Manual outbreak of plan

Referring now to FIG. 3, a flow diagram of an exemplary process 300 for manually generating a mission plan is provided. The sequence of the method steps shown in FIG. 3 is exemplary. The present invention is not limited in this order. For example, steps 308-312 may be performed in any sequential order or alternatively in parallel.

The process of generating the mission plan can be initiated by modeling the computer network 100, as shown by step 302. The creation of the model is facilitated by the NCSA running on the computer or server at the network command center. For example, in the embodiment shown in FIG. 1, the NCSA may execute on the NAC 104 of FIG. The network model preferably includes information defining data connections and / or relationships between various computing devices included in computer network 100. [ The NCSA will provide a suitable interface to facilitate the entry of such relationship data. In some scenarios, the NCSA can facilitate entry of data into a table that can be used to define a mission plan. However, in other scenarios, a graphical user interface is used to facilitate this process.

In the next step 304, the network manager performs user-software interaction to define a relationship between each of the various components of the network. In some scenarios, these user-software interactions are accomplished using the Network Topography Model Generator ("NTMG") tool provided by NCSA. The NTMG tool is used to assist the network administrator in defining the relationships between each of the various components of the network. The NTMG tool provides a workspace 400 as shown in FIG. 4 in which a network administrator can drag and drop the network component 402 by using the cursor 404. The network manager may also create a data connection 406 between the various network components 402. As part of this modeling process, a network administrator may provide network address information for various network elements including modules 105-107, 113, and 114 of FIG.

Once the network is modeled, it may be stored in a data store of the system as shown by step 308 of FIG. The network administrator then uses the stored information to define how the various modules 105-107, 113, 114 will behave and interact with each other. At this point, the NCSA can generate a GUI (e.g., window or dialog box) that can be used by the network administrator to further deploy the mission plan. A schematic illustration of an exemplary embodiment 500 of such a GUI is provided in FIG.

5, the drop-down menu 532 may be used to select a particular module (e.g., module 105 of FIG. 1) to which the settings in the GUI 500 will be applied. Alternatively, the network administrator may determine that the settings in the GUI 500 are to be applied to all modules in the network (e.g., by setting the command "All" in the drop-down menu 532) A drop-down menu 532 may be used. The process can continue by specifying whether the fixed setting of the IDP is always modified in each of the modules, or whether the setting of the manipulated IDP is to be changed dynamically. If the selection or setting of the IDP to be manipulated in the module is intended to be changed dynamically, the network manager may display the checkbox 501 to indicate that preference. If the check-box 501 is not displayed, then the set of IDPs to be changed is a fixed set that does not change over time.

GUI 500 includes tabs 502, 504, and 506 that allow the user to select a particular IDP that he or she desires to work with for the purpose of creating a mission plan. For purposes of this disclosure, the GUI 500 facilitates dynamic changes of only three IDPs. Specifically, they include an IP address, a MAC address, and a port address. More or fewer IDPs can be changed dynamically by providing additional tabs, but the three IDPs mentioned are sufficient to illustrate the concept of the present invention. In Figure 5, the user has selected a tab 502 to work with the IP address type of the IDP. Within the tab 502, the various user interface controls 508-520 are provided to specify the details associated with the dynamic change of the IP address in the selected module. More or fewer controls may be provided to facilitate dynamic manipulation of the IP address type, and the controls shown are provided only to assist the reader in understanding the concepts. In the illustrated embodiment, the network manager enables dynamic change of the IP address by selecting the marked check box 508: "Enable IP address hopping" (e.g., with a pointing device such as a mouse) . Similarly, the network manager may indicate whether the source address, the destination address, or both are to be changed. In this embodiment, both the source and destination address boxes 510 and 512 are displayed, indicating that both types of addresses should be changed. The range of allowed values for the source and destination addresses may be specified by the administrator in list boxes 522 and 524.

The particular pseudo-random process used to select a false IP address value is specified by selecting a pseudo-random process. This selection is specified in box 514, 515. Other pseudo-random processes may have different levels of complexity to varying degrees of true randomness, and an administrator may select the process that best suits the needs of computer network 100. [

The GUI 500 also allows the network administrator to set the trigger type to be used for dynamic change of the IP address IDP. In this embodiment, the user selects box 516 and indicates that the time-based trigger will be used to determine when to transition to a new false IP address value. In addition, a check box 518 is selected to indicate that a time based trigger should occur on the periodic basis. Slider 520 may be adjusted by the user to determine the frequency of the periodic time based trigger. In the illustrated embodiment, the trigger frequency can be adjusted to six trigger occurrences per hour (triggered every 10 minutes) to 120 trigger occurrences per hour (triggered every 30 seconds). In this embodiment, the selection is also available for other types of triggers as well. For example, the dialog box 502 includes check boxes 528 and 530 by which network manager to select the event based trigger. Several other specific event types may be selected to form the basis for such event-based triggers (e.g., event type 1, event type 2, etc.). These event types may include detection of various potential computer network security threats. In FIG. 5, tabs 504 and 506 are similar to tabs 502, but the controls therein are tailored to dynamic changes in MAC address and port value rather than IP address. Additional tabs can be provided to control other types of dynamic changes in the IDP.

Referring again to FIG. 3, process 300 continues to step 312, where the network administrator specifies a plan to dynamically change the location at which the IDP is modified. In some embodiments, this variable position feature is facilitated by controlling the sequence that defines when each module is in the active or bypass state. Thus, the NCSA advantageously includes some GUI means for specifying such a sequence. In some embodiments of the invention, this may include the use of a prescribed time interval or time slot separated by the occurrence of a trigger event. A schematic illustration of an exemplary GUI 600 that facilitates such details by a network administrator is provided in FIG.

As shown in FIG. 6, the GUI 600 may be provided by the NCSA to facilitate coordination and entry of position sequences and timing information. The GUI 600 may include a control 602 to select the number of time slots 604 ₁ - 604 _{n to} be included within the time point 606. In the illustrated embodiment, the network manager has defined four time slots per timing origin. The GUI 600 may also include a table 603 that includes all the modules in the computer network 100. For each module listed, the table includes a graphical representation of the available time slots 604 ₁ -604 ₄ for one timing origin 606. It is recalled that the dynamic control of the position at which the IDP is operated is determined by whether each module is in an active or bypass operating state. Thus, within the GUI, the user can move the cursor 608 and have the user select to specify whether a particular module is in an active or bypass mode during each time slot. In the illustrated embodiment, module 105 is active during timeslots 604 ₁ and 604 ₃ , but in bypass mode during timeslots 604 ₂ and 604 ₄ . Conversely, module 113 is active during timeslots 604 ₂ and 604 ₄ , but is in bypass mode during timeslots 604 ₁ and 604 ₃ . 1, this occurs at the location associated with module 105 during time slots 604 ₁ and 604 ₃ , but instead occurs at module 113 during time slots 604 ₂ and 604 ₄ .

In the embodiment shown in FIG. 6, the network manager has chosen to have the module 114 always operate in the active mode (i.e., the module 114 is active during all time slots). Thus, in the data communication transmitted from the client computer 101 to the client computer 103, the data packet is alternatively manipulated in the module 105, 113, but will always be manipulated in the module 114. Finally, in this embodiment, the network manager has chosen to keep modules 106 and 107 in bypass mode for time slots 604 ₁ - 604 ₄ . Thus, no manipulation of any IDP will be performed in these modules for any of the defined time slots.

Referring again to FIG. 3, the network administrator may save the change as part of the updated mission plan, as shown by step 314. For example, if module timing is defined in the GUI 600, the network administrator may select the button 610 of FIG. 6 to store the change as part of the updated mission plan. Mission plans can be stored in a variety of formats. In some embodiments, the mission plan can be stored as a simple table or other type of defined data structure that can be used by each module to control the behavior of the module.

In some scenarios, an existing mission model may need to be manually modified by an operator in a field during operation. The mission model includes a set of relationships that allow the mission to operate. The mission model (a) changes what needs to be protected; (b) allow different kinds of communication; And (c) change the security level based on the mission attack level. Thus, one way to modify the mission model is to select a portion of the mission model; And creating a new mission model. New Mission Models: Added to existing mission models; Connect or combine two or more existing mission models; Subtract a portion from an existing mission model; Divide an existing mission model into two or more mission models; Modify the parameters of an existing mission model; Copy the mission model and modify the copy of the mission model; And / or removing the mission model. Mission models typically control mobility. As such, the mission model includes information that specifies a strategy of movement, a strategy of when to venture and how to do it, a strategy of cloaking, a strategy of shadow networking, and / or a strategy of a communication group. One or more of these strategies can be modified to create a new mission model.

mission  Automatic and dynamic occurrences of plans

In some scenarios, at least one mission plan is generated dynamically and automatically by the NCSA during operation of the computer network (e.g., computer network 100 of FIG. 1). The dynamic generation of a mission plan is based on the concept of operation ("CONOPS"), (2) computing infrastructure resources and network assets, (3) the relationship between infrastructure resources and network assets, (4) And / or (5) an efficiency rating associated with the IDP.

A flow diagram of an exemplary automated process 700 performed by the NCSA to dynamically generate a mission plan is provided in FIG. The sequence of the method steps shown in FIG. 7 is exemplary. The present invention is not limited to this order. For example, two or more of the method steps may be performed in any sequential order or alternatively in parallel.

As shown in FIG. 7, the process 700 begins with step 702 and continues to step 704. In step 704, the pre-stored computer network model and associated component relationship information is obtained by the NCSA. Next, at step 706, the NCSA performs operations to select a module (e.g., module 105, 106, 107, 113, 114 of FIG. 1) of the computer network model to which at least one mission plan is to be applied.

Then, at step 708, at least one IDP to be modified is selected for each of the selected modules. In some scenarios, the IDP (s) include, but are not limited to, IP addresses, MAC addresses and / or port numbers. The IDP (s) may be selected based on (1) the CONOPS, (2) the type of attack on the computer network previously detected by the NCSA, and / or (3) the efficiency rating associated with the IDP. For example, if the CONOPS object must maintain confidential communications and the type of malicious attack detected on the computer network is a Level 1 attack, then the IDP (s) then include the IDP (s) with an efficiency rating of level 1 Yes, just an IP address). Conversely, if the CONOPS object must maintain confidential communication and the type of malicious attack detected on the computer network is a Level 2 attack, then the IDP (s) then include the IDP (s) with a level 2 efficiency rating IP address and port number). If the CONOPS object must maintain confidential communication and the type of malicious attack detected on the computer network is a level 3 attack then the IDP (s) then include the IDP (s) with a level 3 efficiency rating And MAC address). If the CONOPS object must maintain confidential communication and the type of malicious attack detected on the computer network is a Level 4 attack then the IDP (s) then include the IDP (s) with a level 4 efficiency rating , MAC address, and port number). The embodiments of the present invention are not limited to the details of these embodiments.

Next, at step 712, a determination is made as to whether the IDP (s) are to be dynamically changed. If the IDP (s) should be dynamically changed, then step 714 is performed in which the details associated with the dynamic change are specified. In this regard, step 714: enables the IDP hopping for each IDP to be changed dynamically; Indicates whether the source and / or destination IDP (s) are to be changed; Specifying a range of allowed values for each IDP; Selecting a pseudorandom function or a chaotic function to be used for the false value generated for each IDP; And / or setting a trigger type to be used for dynamic change of values for each IDP. Each of these enumerated actions may be based on (1) the type of activity detected in the CONOPS object and / or (2) the computer network. For example, if a CONOPS object must secure all communication sources and a level 1 attack is detected, then only the source IDP should be dynamically modified based on the first pseudo-random function. Conversely, if the CONOPS object must secure all communication destinations and a level 2 attack is detected, then only the destination source IDP should be dynamically modified based on the second different pseudo-random function. If a CONOPS object must secure all communication sources / destinations and a level 3 attack is detected, then the source / destination IDP must be dynamically modified based on at least a third different pseudo-random function. CONOPS If the target is to secure all communication sources / destinations and a level 4 attack is detected, then the source / destination IDP must be dynamically modified based on at least one chaotic function. The embodiments of the present invention are not limited to the details of these embodiments.

Upon completion of step 714, step 716 is performed wherein the additional details are specified to dynamically change the location at which the IDP can be modified. In this regard, step 716 includes selecting the number of time slots to be included in the time base for each of the selected modules. This choice may be based on the distance vector described above. In some scenarios, the distance vector has a variable value that varies with the overall network behavior specified by the mission plan. At the next step 718, the mission plan is saved. The processor 700 then terminates or other processing is performed.

In some scenarios, the mission model may need to be modified automatically during operation. The mission model includes a set of relationships that allow the mission to operate. The mission model is: (a) changing what needs to be protected; (b) allow different kinds of communication; And (c) to change the security level based on the mission attack level. Thus, one way to modify the mission model is to select a portion of the mission model; And creating a new mission model. Mission models are added to existing mission models; Connect or combine two or more existing mission models; Subtract a portion from an existing mission model; Divide an existing mission model into two or more mission models; Modify the parameters of an existing mission model; Copy the mission model and modify the copy of the mission model; And / or removing the mission model. Mission models typically control mobility. As such, the mission model includes information that specifies a strategy of movement, a strategy of when to venture and how to do it, a strategy of cloaking, a strategy of shadow networking, and / or a strategy of a communication group. One or more of these strategies can be modified to create a new mission model.

mission  Plan collision analysis

If more than one mission plan is generated, the NCSA performs operations to identify and resolve any conflicts between module operations defined by them. In some scenarios, a conflict analysis is performed and each time a new mission plan is generated by the network administrator and / or the NCSA and before the distribution and loading of the new mission plan, as described below.

A schematic illustration of an exemplary process 800 for identifying and resolving a mission plan conflict is provided in FIG. As shown in FIG. 8, process 800 begins with step 802 and continues to step 804. At step 804, at least two mission plans are retrieved from the data repository. The searched mission plan may include a newly generated mission plan (i.e., not yet distributed and unloaded) and / or a previously generated mission plan (i.e., previously generated but distributed and loaded or otherwise) It does not.

The retrieved mission plan is then used in step 806 to simulate the network behavior defined by them. For example, the first mission plan is: the true value of the first source IP address is modified to a false value in module 105 for a first predetermined time period; A false value is selected from a prescribed set of false values based on a first pseudorandom function; And specifies that a false value is reselected every 10 seconds. The second mission plan is modified to a false value in module 105 during a second defined period of time in which a true value for a second source IP address at least partially overlaps with a first predetermined period of time; A false value is dynamically selected from a defined set of false values based on a second pseudorandom function; And specifies that the false value is reselected every time. In this case, the operation of the module 105 is simulated as defined in the first and second mission plans.

Based on the results of the simulation, at least one table, chart, or graph is generated in step 808 that may subsequently be used to identify any conflicts in the module behavior as a result of executing the mission plan. For example, a table, a chart, and / or a graph may include (1) a false value of a first source IP address always for a first predetermined period of time, and (2) a second source IP address But it is not limited to them.

Next, at step 812, the contents of the table (s), chart (s) and / or graph (s) are compared with one another. Based on the results of this comparison, a determination is made, at step 814, whether any conflicts exist between module behaviors defined by the mission plan. For example, in some scenarios, a determination is made as to whether the false values for the first and second source IP addresses are the same at any given time in the overlapping periods of the first and second predetermined periods of time.

If a determination is made that the conflict does not exist between the module behaviors defined by the mission plan [814: No], then at least one of the mission plans is distributed and loaded, step 816 is performed. The manner in which the mission plan is distributed and loaded will be described in detail below.

If a determination is made that the conflict exists between the module behaviors defined by the mission plan [814: YES], then at least one of the mission plans is modified (step 818). Thereafter, step 820 is repeated where the process 800 is repeated using the modified mission plan (s) and / or the unmodified mission plan (s).

mission  Distribution and loading of plans

The distribution and loading of the mission plan as described herein will now be described in more detail. Referring again to FIG. 1, it can be seen that modules 105-107, 113, 114 are distributed across computer network 100 at one or more locations. The module is integrated into the communication path to prevent communication at such a location, perform necessary operations, and send the data to other computing devices in the network. With the arrangement described above, any necessary maintenance of the modules described herein (e.g., maintenance to update the mission plan) may have the potential to interfere with network communication, while the modules are replaced or reprogrammed. Such intervention is undesirable in many situations where the reliability and availability of network services is essential. For example, unobtrusive network operation may be essential for military networks, emergency services, and computer networks used by businesses.

To ensure uninterrupted network operation, each module preferably has several operating states. These operating states include (1) an off state in which the module is powered off and not processing any packets, (2) a startup state in which the module installs software scripts according to the mission plan, (3) (4) a bypass state where packets may flow through the module as if no module were present. The module is configured to allow the module to receive and load the updated mission plan provided by the network administrator when it is in the active or bypass state. The module operational state can be manually controlled, for example, by the network administrator by NCSA execution on the NAC 104. For example, a user can select an operational state for various modules through use of a graphical user interface control panel. Alternatively, the module operating state may be automatically controlled, for example, by NCSA execution on the NAC 104. [ Commands for controlling the operational state of the network may be communicated through the computer network 100 or may be communicated by any other suitable means. For example, a separate wired or wireless network (not shown) may be used for such purposes.

The mission plan can be loaded directly from the physical location of each module, or it can be transferred from the NCSA to the module. This concept is shown in FIG. 9, which shows a mission plan 904 from NCSA 902 to each of modules 105-107 via communication medium 906. FIG. In the illustrated embodiment, the NCSA software application runs on the NAC 104. The communication medium includes in-band signaling using the computer network 100 in some embodiments. Alternatively, an out-of-band network (e.g., a separate wireless network) may be used as the communication medium 906 to convey the updated mission plan from the NCSA to each module.

In a scenario where the NAC is controlled by the network administrator, the NCSA may provide the GUI 1000 to facilitate selection of one of the multiple mission plans 1002, as shown by FIG. Each of these mission plans 1002 may be stored on the NAC 104. The network administrator can select from one of the multiple mission plans 1002 and then activate the "send mission plan" button 1004. Approximately, a plurality of mission plans can be delivered to each module and stored there. In either scenario, the user can choose to activate one of the defined mission plans.

In scenarios where network mobility is automatically controlled, the NCSA selects at least one mission plan from a plurality of mission plans based on the results of the collision analysis as described above. Then, the NCSA generates an instruction to send the mission plan (s).

In response to the command to send the mission plan, the selected mission plan is delivered to the module while they are in an active state configured to actively perform dynamic modification of the IDP as described herein. Such an arrangement minimizes the time during which the network is apparently operating without tampering with the IDP. However, the updated mission plan can also be passed to the module, while they are in bypass mode, and this approach can be desired in certain cases.

If a mission plan is received by the module, it is automatically stored in the memory location in the module. Thereafter, the module may be caused to enter the bypass state, while still in that state, the module may load data associated with the new mission plan. This process of entering the bypass state and loading new mission plan data may occur automatically in response to receiving the mission plan, or may occur in response to commands from the NCSA software controlled by the network administrator. The new mission plan preferably includes a change in such a way that the IDP value is changed. Once the new mission plan is loaded, the modules 105-107, 113, 114 may transition from the bypass mode to the active mode in a synchronized manner to ensure that no data communication errors occur. The mission plan can specify the time when the module should return to active mode, or the network administrator can use the NCSA to direct commands to various modules and direct them to enter active mode. The aforementioned process of updating the mission plan advantageously allows changes in the network security procedures to occur without interfering with communication between the various computing devices attached to the computer network 100. [

The dynamic manipulation of the various IDPs in each of the modules 105, 106, 107, 113, 114 is preferably controlled by the application software executing on each of the modules 105-107, 113, 114. However, the behavior of the application software is advantageously controlled by the mission plan.

Referring now to FIG. 11, a flowchart is provided that summarizes the operation of each module 105-107, 113, 114. To avoid confusion, process 1100 is described for communication in a single direction. For example, in the case of module 105, a single direction may include data sent from client computer 101 to hub 108. [ In practice, however, it is preferred that modules 105-107, 113 and 114 operate in both directions. The process begins at step 1102 when the module is powered up and continues to step 1104 where the module application software is started to execute the method described herein. At step 1106, the mission plan is loaded from the memory location in the module. At this point, the module is ready to begin processing the data and proceeds to do so in step 1108, where it accesses the data packet from the module's input data buffer. At step 1110, the module verifies that it is in the bypass mode of operation. If so, the data packet accessed at step 1108 is retransmitted at step 1112 without any modification of the data packet. If the module is not in bypass mode, then it must be in the active mode of operation and step 1114 is reached. In step 1114, the module reads the data packet to determine the identity of the source node from which data packet was generated. At step 1116, it examines the packet to determine whether the source node is valid. The specified source node may be compared to a list of valid nodes to determine whether the specified source node is currently valid. If it is not a valid node then the packet is discarded in step 1118. At step 1120, the process identifies whether a trigger event has occurred or not. The occurrence of a trigger event can affect the selection of a false identification value to use. Thus, at step 1122, the module determines a false identification value to use based on the one or more trigger information, the clock time, and the mission plan. The module then proceeds to step 1126, where it manipulates the IDP of the data packet. When the operation is completed, the data packet is retransmitted from the output port of the module to the adjacent node. At step 1130, a determination is made as to whether the module is commanded to power down. If so, the process ends at step 1132. At step 1108, the process continues and the next data packet is accessed from the module's input data buffer.

Enterprise mission  management

The overall behavior of the switched computer network (e.g., computer network 100 of FIG. 1) is managed from an enterprise perspective as the computer network operates in accordance with the enterprise CONOPS, as well as the mission CONOPS. In this regard, the overall behavior of the computer network is defined by the sum of the module behaviors specified in the mission plan executed in the computer network, as shown in Fig. Thus, the NCSA manages the distribution and control of the mission plans to the endpoints or endpoint areas of the computer network, based on analysis of the relationships between the various layers that define the computer network architecture as well as the overall enterprise objectives / rules / policies . As in FIG. 13, the layer may include, but is not limited to, a CONOPS layer, a network architecture layer, and a move target technology parameter layer.

In some scenarios, the graphical user interface is provided to a computer system used by a network administrator. The graphical user interface is generally configured to represent a schematic view of the current overall behavior of the computer network. The contents of the abstract city change dynamically as the behavior of the computer network changes. For example, when a new mission plan is used or an old mission is deactivated, the schematic city is modified to reflect this change. The graphical user interface also allows the user to view the operations performed by each node or to select nodes in the network in real time or substantially in real time. The graphical user interface may include a widget to allow the user to selectively modify the behavior of the entire network or at least one node of the network.

Referring now to FIG. 14, a flow diagram of an exemplary method 1400 for enterprise mission management of a dynamic computer network is provided. The method 1400 begins at step 1402 and continues to steps 1404-1406 where the tracking operation is performed by the NCSA. The tracking operation tracks the number of mission plans to activate at any given time; And tracking the "life to live" of all active mission plans.

Next, at step 1408, the NCSA performs the operations of observing and analyzing aspects of the computer network (e.g., computer network 100 of FIG. 1). These operations are performed to determine when a new mission plan needs to be distributed. Accordingly, these operations may include but are not limited to one or more of the following operations: packet inspection operation; Congestion-based operation; Network state based operation; User active based operation; And network attack-based operations.

In some scenarios, the packet inspection operation may analyze the packet to obtain information identifying the origin of the packet, the destination, origin or origin of the packet, the group to which the destination belongs, and / or the type of payload included in the packet; Analyze the packet to determine whether a code word is included therein; Compare the information stored in the data store with information obtained from the packet to determine if a match exists; And / or whether the trigger event has occurred to distribute a new mission plan based on the result of the comparison.

In some scenarios, congestion-based operations monitor congestion within a computer network; Track congestion within a computer network; And / or comparing the threshold and the current congestion to determine whether the trigger event has occurred to distribute a new mission plan.

In some scenarios, network state based operations include: monitoring the state of the computer network; Track the state of the computer network; Analyze the computer network to determine its state; And determining whether the trigger event has occurred to distribute a new mission plan based on the results of the analysis.

In some scenarios, user activity based actions include: monitoring user activity within a computer network; Collects information about user activities; Analyze the collected information to determine whether a particular protocol pattern is present; And determining whether the trigger event has occurred to distribute a new mission plan based on the results of the analysis.

In some scenarios, network attack-based actions include: monitoring attack events within a computer network; Track attack events within a computer network; Performing a LUT operation to determine the level of attack and / or type of attack on the computer network; And determining whether the trigger event has occurred to distribute a new mission plan based on the result of the LUT operation.

Referring again to FIG. 14, the method 1400 continues to step 1410 where the NCSA performs operations to understand and define new mission requirements consistent with the enterprise and mission CONOPS. At this point, the NCSA determines which modules the new mission plan (s) will be distributed to. Subsequently, steps 1412 and 1414 are performed.

Step 1412 includes selecting a new mission plan from a plurality of pre-stored mission plans based on results from analyzing new mission requirements and operational aspects of the computer network. For example, if a level 1 attack is detected, then the first mission plan is selected. Conversely, if a level 5 attack is detected, then a second different mission plan is selected.

Step 1414 includes generating and storing a new mission plan. The new mission plan can be generated manually by the network administrator or automatically by the NCSA as described above. In all scenarios, a new mission plan can be generated based on the results from analyzing the new mission requirements and the operational aspects of the computer network. For example, the chaotic function for the timing scheme, pseudorandom function and / or mission plan may be determined based on the type of trigger event detected in step 1408, the content contained in the packet, the current congestion of the computer network, May be selected based at least in part on the type of user activity within the computer network, the level of attack detected on the computer network, and / or the type of attack detected on the computer network.

If a new mission plan is selected or generated, step 1416 is performed by the NCSA. At step 1416, the NCSA performs a conflict analysis, as described above, to identify any conflicts existing between the module operations defined by the new mission plan and the module operations defined by all active mission plans. If the NCSA determines that there is a conflict [1418: YES], then the new mission plan is modified as shown by step 1420. Then, the collision analysis is performed using the modified mission plan. If the NCSA determines that no conflicts exist, then step 1422 is performed where a new mission plan is passed to the module (s) of the computer network, where the mission plan is stored in the memory location.

When the network administrator and / or the NCSA is ready to execute a new mission plan, the command is sent to step 1424 to allow the module (s) to enter the idle mode as described herein. Module (s) enter this standby mode, while in step 1426 the mission plan is loaded. Loading of the mission plan occurs in the module (s) such that the mission plan can be used to control the operation of the application software executing on the module (s). In particular, the mission plan is used to control how the application software performs dynamic operations of the IDP. Upon completion of step 1426, the method 1400 continues to step 1428 of FIG. 14B.

At step 1428, the module (s) enters the active mode of operation in which the module (s) performs the operation of the IDP according to the mission plan. Steps 1424, 1426 and 1428 may occur in response to a specific command sent from the network manager or may occur automatically in module (s) in response to receiving the mission plan at step 1422.

At step 1428, the module (s) continues to perform processing according to the mission plan being loaded. At step 1430, the method 400 continues by observing and analyzing the operational aspects of the computer network to determine when and when an active mission plan should be placed in the inactive state. For example, if the network administrator and / or the NCSA determines or suspects that the enemy has found an active mission plan for the computer network, then it may be required to change the mission plan to keep the computer network secure.

If the NCSA determines that none of the active mission plans should be placed in the inactive state [1432: NO], step 1436, described below, is performed. Conversely, if the NCSA determines that the active mission plan should be placed in the inactive state 1432: Yes, the step 1432 where the mission plan is inactive is performed (i.e., the module (s) Thereby stopping performing the operation. Then, step 1436 is performed (e.g., method 1400 returns to step 1404) where method 1400 ends or another process is performed. Another process may involve reconfiguring the computer network to operate in accordance with another mission plan intended to secure the computer network.

Referring now to FIG. 15, there is provided a block diagram illustrating a computer architecture of an exemplary module 1500 that may be used to perform the operations of an IDP described herein. Module 1500 includes a processor 1512 (such as a central processing unit ("CPU")), a main memory 1520 and a static memory 1518 that communicate with each other via a bus 1522. Module 1500 may further include a display unit 1502, such as a liquid crystal display ("LCD"), to indicate the status of the module. Module 1500 may also include one or more network interface devices 1516 and 1517 that allow the module to simultaneously receive and transmit data on two separate data lines. The two network interface ports facilitate the arrangement shown in Figure 1 in which each module is configured to simultaneously block and retransmit data packets received from two separate computing devices on the network.

Main memory 1520 includes a computer readable storage medium 1510 that stores a set of one or more instructions 1508 (e.g., software code) configured to execute one or more of the methodologies, procedures, or functions described herein do. The instruction 1508 may also remain completely or at least partially within the static memory 1518 and / or within the processor 1512 during execution by the module. Static memory 1518 and processor 1512 may also constitute a machine-readable medium. In various embodiments of the invention, the network interface device 1516 coupled to the network environment communicates over the network using an instruction 1508.

Referring now to FIG. 16, an exemplary NAC 104 is shown in accordance with the arrangement of the present invention. NAC 104 may be a set of instructions that specify actions to be taken by a server computer, a client user computer, a personal computer ("PC"), a tablet PC, a laptop computer, a desktop computer, a control system, or (sequential or otherwise) And any other device capable of executing the program. In addition, while a single computer is shown in FIG. 16, the phrase "NAC" refers to a computing device that executes a set (or multiple sets) of instructions individually or in combination to perform any one or more of the methodologies discussed herein But may be understood to include any set.

Referring now to Figure 16, the NAC 104 includes a processor 1612 (such as a CPU), a disk drive unit 1606, a main memory 1620 and a static memory 1618, which communicate with each other via a bus 1622. [ . The NAC 104 may further include a display unit 1602 such as a video display (e.g., LCD), a flat panel, a solid state display, or a cathode ray tube ("CRT"). NAC 104 may include a user input device 1604 (e.g., a keyboard), a cursor control device 1614 (e.g., a mouse), and a network interface device 1616.

Disk drive unit 1606 includes a computer readable storage medium 1610 that stores a set of one or more instructions 1608 (e.g., software code) configured to execute one or more of the methodologies, procedures, . The instruction 1608 may also remain completely or at least partially within the main memory 1620, static memory 1618, and / or within the processor 1612 during its execution. Main memory 1620 and processor 1612 may also constitute a machine-readable medium.

Those skilled in the art will recognize that the module architecture shown in Figure 15 and the NAC architecture in Figure 16 each represent only one possible embodiment of a computing device that can be used to perform the methods described herein . However, the invention is not limited in this respect, and any other suitable computing device architecture may also be used without limitation. Dedicated hardware implementations including, but not limited to, special purpose integrated circuits, programmable logic arrays, and other hardware devices may similarly be configured to execute the methods described herein. Applications that may include devices and systems of a wide variety of embodiments include various electronic and computer systems. Some embodiments may perform functions as two or more specific interconnected hardware devices having associated control and data signals transmitted between and through the modules, or as part of a special purpose integrated circuit. Thus, the exemplary system is applicable to software, firmware, and hardware implementations.

According to various embodiments of the present invention, the methods described herein are stored as a software program on a computer-readable storage medium and configured to operate on a computer processor. In addition, software execution may also include, but is not limited to, distributed processing, component / object distributed processing, parallel processing, virtual machine processing, which may be configured to execute the methods described herein.

15 and 16, which are single storage media, while the term "computer-readable storage medium" refers to a medium or medium that stores a set of one or more instructions, E.g., a central or distributed database, and / or associated caches and servers). The term "computer readable storage medium" may also be taken to include any medium that allows a machine to store, encode, or load a set of instructions during execution by the machine and cause the machine to perform any one or more of the methodologies of the present disclosure. .

Thus, the term "computer readable medium" includes solid state memory, such as a memory card or other package housing one or more read-only (non-volatile) memory, random access memory, or other rewritable (volatile) memory; Magnetic or optical media, such as a disk or a tape. Accordingly, the present disclosure encompasses any one or more of the computer-readable media as enumerated herein, and is intended to include perceived equivalents and media in which software executions are stored.

Computers connected to other logical networks Device  Communication

Before describing another aspect of the arrangement of the present invention, it is useful to consider the operation of a conventional switch. Conventional switches couple multiple segments of a network together. The simplest device to perform this function is called the "hub " and operates on the physical layer. The hub does not perform any traffic management tasks on data packets, but simply copies all data traffic entering the port and propagates it to all other ports. Layer 2 (or "network") switch has the ability to operate up to the link layer and inspect packets entering the switch and direct each packet to the appropriate port based on the destination physical address of the link layer packet. A switch is different from a hub in that it can send packets to its destination without propagating across all ports. A multi-layer switch (e.g., a Layer 3 switch) can operate up to the network layer, the transport layer, and / or the application layer and can be used for IP multicasting, IP security, firewall, load balancing, secure socket layer encryption / It is possible to perform tasks requiring knowledge of upper layer protocols. A switch operating in an upper layer may perform some or all of the router and bridge functions. Conversely, routers and bridges can also perform lower layer switching functions.

The switch sends packets to the next hop by correlating each output port with a specific physical address. As mentioned above, the switch primarily operates in the data link layer. The data link layer message (i.e., data packet) is passed to the physical address representing the "next hop" in the path of the data packet. An example of a physical address is the MAC address for the network interface of the host machine. The MAC address is resolved using a link layer protocol such as an address determination protocol ("ARP") and then this information is stored in the table for quick reference (e.g., ARP table). When a packet destined for a particular host is received, the switch retrieves the destination MAC address on the ARP table, places the port associated with that MAC address, and sends the packet. If the MAC address for the destination host is not listed in the ARP table, the switch can propagate the ARP polling message on all output ports. If the destination host is connected to the switch, it will respond with a reply and the switch will send a packet to the host using the port that received the reply. The switch may also record the port and network address in the ARP table for future forwarding to the MAC address.

Multilayer switches operating at the network layer or those mentioned above may use logical addresses (e.g., IP addresses) to send packets to their destination. Although the network layer function and the layer function above are generally handled by the router, there is little functional difference between the conventional router and the Layer 3 (or network layer) switch. In either case, the switch (or router) receives a data packet destined for a particular host with a logical address (i.e., a network layer or protocol address). After receiving the packet, the network layer switch will compare the routing table with the destination IP address of the packet to determine both the logical and physical addresses of the next hop in the path to the destination host. The network layer switch then sends the packet to the next hop. The main difference between packets received at the Layer 3 switch versus packets received by the Layer 2 switch is that the destination address (e.g., MAC address) of the link layer packet received at the Layer 3 switch is that of the switch itself. As described above, the link layer packet is delivered to the next hop in the path of the packet. The Layer 3 switch (or router) that receives the packet is responsible for determining the next hop for the packet based on the next hop of the packet and based on the network layer address (e.g., IP address) or other information contained in the packet. Conversely, the Layer 2 switch receiving the packet reads the link layer destination address and sends the packet to the next hop, but the Layer 2 switch itself is not the destination.

The mobile target technology ("MTT") switch may perform packet forwarding as described above for MTT enabled network operations in accordance with at least one mission plan at any given time. The MTT switch can perform the inherent functionality of the switch described above for MTT enabled traffic. In some embodiments, the MTT switch may also be arranged to automatically distinguish between MTT enabled traffic and conventional data traffic for the purpose of determining how to properly perform such switching operations. The mission plan defines a set of transformations performed on the IDP of data traffic in the MTT enabled network and the location at which such transformations are performed within the network. As a module, an MTT enabled switch can be loaded into one or more mission plans. Additionally, the MTT switch can perform the functions of the module and convert the IDP of the data packet according to the mission plan.

Current switch technology sends data by "pinning " a particular physical address to a particular port on the switch in the ARP table, as described above. As a result, conventional switches can not handle MTT enabled traffic because the IDP can move according to the mission plan. For example, the IP address of the source and / or destination host, the MAC address of the source and / or destination host, or both may be dynamically modified before reaching the switch. An MTT enabled switch has the ability to operate in accordance with the mission plan and moves the identity to send the switched data packet correctly. For example, when a packet arrives at the MTT switch, the IDP of the data packet is analyzed and the destination host is compared to a dynamic ARP table driven and modified by the mission plan.

The dynamic ARP table is materialized and / or modified by the mission plan. The mission plan has information about the operation of the IDP over the entire network and can therefore provide the switch with an ARP table that is sufficiently specific for use when sending packets. This dynamic modification of the ARP table can occur in a number of ways. In a particular embodiment, the value in the ARP table is specified by the mission plan when it is loaded on the switch. In such a scenario, the ARP table value is rewritten each time a new mission plan is activated. In other words, the value in the ARP table is changed to facilitate accurate switching of the packet using the IDP as currently operated for use in the network according to the mission plan. In another embodiment, the relationship between the values in the ARP table is updated by the mission plan. For example, the relationship between a port and various device addresses can be updated by a mission plan. In each scenario, the mission plan updates or modifies the ARP table so that the switch functions correctly with the manipulated IDP at the time of use at a particular time. As described above, the operation of the IDP can be changed based on the reactive trigger event. The mission plan will define what changes will occur in response to certain types of reactive trigger events. Therefore, each reactive trigger event can cause modification or update to the dynamic ARP table.

In some scenarios, the switch includes dedicated ports serving both static and MTT enabled networks. In effect, the switch is divided into a static port serving a static network and an MTT port serving a dynamic network. In such a scenario, each set of ports may have a separate ARP table or may share an ARP table that includes a static section and an MTT section. At least a portion of the ARP table serving the MTT enabled port is determined according to the mission plan and changes in response to a predetermined reactive trigger event defined by the mission plan. In yet another embodiment, the switch can identify MTT enabled traffic and convert the IDP of the data packet to a static IDP (i.e., a true IDP). After the IDP is converted, the switch can process the data packet using a conventional switching algorithm using a static ARP table. The switch can then send a packet with a true IDP, or a packet with a false IDP. A false IDP may be the same as those contained in the packet when received, or the switch may manipulate the IDP to include another set of false IDPs. The manner in which the packet is processed in either case can be determined by the mission plan as described above.

In certain embodiments, both static and dynamic data traffic may be present in the network at the same time. Therefore, the ability to accommodate both static and dynamic traffic is important. For example, the data may be static or dynamic based on the value or importance of the data. A host computer operating in accordance with a particular mission plan may enable MTT for data sent to a particular application or to a particular server. Conversely, web browsing data or other low preference data may be sent without enabling MTT. Therefore, all network equipment, including switches, can accommodate both static and dynamic traffic simultaneously, and can handle forwarding and forwarding of MTT-enabled packets in addition to forwarding static packets over the same network.

In certain embodiments, the switch may be coupled to multiple networks operating other mission plans. Alternatively, one or more of the networks connected to the switch may be static (i.e., not MTT enabled). In this situation, the switch can act like a bridge and switch between networks operating other mission plans, or between the MTT network and the static network. A switch operating between these network boundaries may have an ARP table for each network, or each section may have an ARP table with multiple sections corresponding to different networks. In either scenario, the ARP table can be dynamically materialized according to the mission plan.

In addition to forwarding MTT enabled data packets according to the mission plan, the MTT switch can also manipulate the switching behavior based on the mission plan by pseudo-randomizing the output ports used to send packets to a particular destination . For example, a switch may have one port leading from the same enterprise wide area network to another router connected to another network. The switch may have a second port leading to a gateway to the Internet. All paths can be directed to the same destination, and switches can pseudo-randomly alternate between paths when forwarding packets to the same final destination. Alternatively, or in addition, the switch may propagate unrelated packets on some or all of the ports to produce noise in the network. Unrelated packets may contain useless bits of random data in an encrypted form to confuse and disturb the individuals and systems attempting to penetrate the network. MTT switches may alternate between these behaviors or any combination depending on one or more mission plans.

Optionally, the switch may further apply a set of filtering rules to act as a firewall. In a particular embodiment, the switch can identify MTT enabled traffic based on the mission plan and filter all other traffic. In another embodiment, the switch may detect anomalies in the data traffic. The filtering rules may be designed to direct MTT-capable and / or anomalous packets to a "honeypot" server that can mimic the behavior of the network system to attract attack traffic. By filtering out MTT-not-enabled and / or anomalous packets associated with honeypots, especially those associated with attack traffic, network administrators can prevent attacks, analyze network vulnerabilities, and / or are based on the behavior of unauthorized traffic. You can develop new technologies to respond to attacks. Alternatively, packets that are not MTT-capable may be discarded immediately, or filtered using conventional firewall techniques.

To further understand this function of the MTT switch described herein, Figure 17 and the following embodiment are considered. Referring now to FIG. 17, an exemplary network 1700 is provided. The network includes a host 1702, a module 1704, switches 1706 and 1712, routers 1708 and 1710, and a host 1714. As shown in FIG. 17, the data packet is sent to the IDP 120. In one exemplary embodiment, module 1704 may convert IDP 120 to IDP 122 as previously described. In an alternative embodiment, module 1704 may be in host 1702 or switch 1706. Additionally, routers 1708 and 1710, switch 1712, and host 1714 may also include modules. Although Figure 17 shows a data packet traveling in one direction, those skilled in the art will recognize that data traffic can flow in both directions using known duplication techniques.

In the first embodiment, the network segment includes three separate components connected in series: the PC 1702, the MTT module 1704, and the MTT switch 1706, the PC 1702, It is the source host for the data stream entering the network. A module 1704 is coupled between the PC 1702 and the switch 1706 that is capable of performing a pseudo-random transformation on the data stream transmitted by the PC 1702. When the data stream reaches the switch 1706, the various IDPs 122 of the data packets in the stream appear to be converted in a random manner by the module 1704. More specifically, a portion of the IDP value 120 is converted into a pseudo-random value 122 according to the mission plan. MTT enabled switch 1706 operates in accordance with the same mission plan and therefore remains in a state where it can properly send packets in the data stream to the next interface. In an alternative configuration, module 1704 need not be a separate component, but may be embedded within PC 1702 as discussed above.

In a second embodiment, the module 1704 is embedded within the switch 1706 and the switch 1706 itself can convert the data packet IDP 120 according to the mission plan. In such a scenario, the switch may receive a data stream that is no longer MTT enabled, i.e., the IDP 102 of the data packet is not translated. The switch then modifies the IDP to identify the false IDP 122 before they are sent to the network. At switch 1706, a conversion may occur at the input or output port. In other words, the IDP 120 may be translated before or after determining which port the switch will send the packet over.

In the third embodiment, MTT switch 1706 connects two networks operating along different mission plans represented in FIG. 17 as a network connected to routers 1708 and 1710. For clarity and to avoid obscuring the present invention, the network attached to routers 1708 and 1710 is not shown. Specifically, one of the networks (e.g., router 1708) is a static network that is not MTT capable. Data traffic transmitted between two networks must be transformed by switch 1706 before it can be sent to another network. For example, the IDP 122 of the data packet arriving at the switch from the MTT enabled network must be translated to specify the static value 120. Conversely, the IDP of the data packet arriving at the switch from the static network must be converted to specify the IDP according to the currently active mission plan.

In the fourth embodiment, MTT switch 1706 includes a network A (i.e., router 1709), B (i.e., router 1710), C (i.e., router 1711), and D ). Networks A, B, and C are dynamic MTT enabled networks that operate according to one or more mission plans. Network D is a static network that is no longer MTT enabled. When data is received at the MTT switch 1706, it indicates that they are false (corresponding to what is expected according to the current mission plan of network A, B, or C) that corresponds to the current state of network A, B, 0.0 > MTT < / RTI > enabled data with IDP. If so, switch 1706 performs suitable MTT processing using one or more mission plans to route data to the appropriate destination network. If the destination network is a static network (in this embodiment, network D, router 1708), then this process may be performed with a set of false IDPs (e.g., if the packet is sourced from the MTT enabled network) Lt; / RTI > Alternatively, such processing may be accomplished by sending a first set of false IDPs corresponding to the MTT enabled source network (e.g., network A, router 1709) to the MTT enabled destination network (e.g., network B, router 1710) To a second set of pseudo IDPs corresponding to < RTI ID = 0.0 > a < / RTI > The first and second sets of false IDPs may comprise different choices of IDPs for which false and / or other false values are constructed for the same set of IDPs. Alternatively, if switch 1706 determines that the received packet contains anomalous MTT data that does not correspond to the current state of any network, then the received packet is discarded or sent to a "honeypot " Can be.

The exemplary configurations described above are not intended to be limiting. Further, the embodiment is not limited to the network topology shown in Fig. As mentioned above, the function of the switch can be established with other network devices (e.g., routers and bridges). Additionally, the functions of modules and firewalls can be merged into switches, routers, and / or bridges. The network components can be combined to arrive at a dynamic network system tailored to any set of needs.

Referring now to FIG. 18, a flow diagram of process 1800 further illustrating the operation of the MTT switch is provided. When the switch is powered up, the process begins at step 1802 and continues to step 1804 where the switch application software is started to execute the method described herein. At step 1806, one or more mission plans are loaded from memory locations in the switch. The ARP table is also materialized according to the mission plan. The mission plan can define a dynamic transition of a plurality of network segments within a single dynamic computer network. One or more mission plans may be loaded into the switch in a manner similar to that described above with respect to the module. In some scenarios, the mission plan is loaded and activated in the memory of the switch, thereby generating a trigger event. The trigger event acts as a gate that separates the traffic received before the trigger event processed using the previously active ARP table and the traffic received after the trigger event processed using the newly activated ARP table. This can happen in several ways. In another embodiment, the mission plan may be loaded into memory for a time when the switch is not active, or when the MTT operation of the network becomes disabled. Once the mission plan is loaded, the switch is ready to begin processing the data and processes it in step 1808 to access the data packet from the switch's input data buffer.

In step 1810, the switch determines whether the MTT mode of operation is enabled in the network. If not (1810: NO), the data packet accessed at step 1808 is directed at step 1812 to the output port using a static ARP table arranged to ensure proper forwarding of packets containing a true IDP value. In other words, this mode is used when the MTT mode of operation is not active and all IDPs are assumed to have their true value. The switch conveys the data packet to the appropriate output port in step 1812 without any modification of the data packet in the same manner as a conventional switch. If the MTT mode is enabled (1810: YES), then the process continues to step 1814.

The network will have some MTT status that specifies how the IDP in the network is currently being operated. In step 1814, the switch determines the current state of the false IDP value based on the mission plan and the current MTT state. In step 1816, the system periodically checks to determine if a trigger event has occurred that may change the MTT state. This step of acknowledging the occurrence of a trigger event may be performed periodically, as shown based on the clock signal, or it may be performed at any time during the process contained within the box 1815. This is an important step because the occurrence of a trigger event can have a significant impact on the calculation of the appropriate identification value currently in use in the network. Then, the information from step 1816 and any other appropriate information regarding the MTT state of the network is then used to determine the current state of any MTT operations being used by the network. For example, the occurrence of a trigger event in step 1814 may cause the system to generate an updated cross-reference, or a LUT containing any false IDP values in use at that time, and a corresponding true IDP value. The information about which IDP is false and the true value for such IDP can be determined using a pseudo-random process as described above. As shown in FIG. 18, a trigger event may occur during any of the processing steps 1814, 1818, 1820, 1824, 1826, 1828 and at that time, an instantaneous (e.g., It will trigger recrystallization.

Optionally, non-repudiation of the MTT IDP may be enabled at step 1814. Nonrepudiation is a security service that allows the network administrator to discover the MTT identification used by the dynamic network at any time. As a result, true identification of the network source and destination can be known despite the potentially pseudo-random nature of the IDP of the network traffic and can not be "denied" to deny responsibility. In one embodiment, this can be achieved by simple logging of all false identifications. Therefore, the logging function is performed and thereby all false IDPs determined in step 1814 are written to, for example, memory. Alternatively, non-repudiation can be achieved through timestamped recording of the pseudo-random function and seed values associated with the current state of the MTT mission plan. This allows the network administrator to look back at any time during the operation of the network to "reconfigure" the network identification from the pseudo-random function and the seed value used by the mission plan at that time.

In step 1818, the switch reads the data packet to determine the identity of the source node and the destination node from which the data packet was generated. The source and destination address information of the received data is important because it needs to allow the switch to determine how to properly manipulate the IDP included in the data communication. In step 1820, the switch examines the data packet to determine if the source node is valid. This can be accomplished by comparing the current list of valid source nodes with the source node specified in the data packet (e.g., as determined in step 1814). If the source node information is not valid then the packet is discarded in step 1822. Steps 1824 and 1826 are more specifically the selection steps discussed below.

The process continues from step 1828 to the point where the switch directs the packet to the appropriate output port. This step preferably includes appropriate work to ensure proper forwarding of packets including false IDPs. More specifically, this step ensures that the next destination for data communication is an accurate path for data communication according to the true information corresponding to the false IDP and according to the mission plan. Note that the information in the false IDP will not match the true IDP value, so that while appropriate adjustments must be made to accommodate false information, still ensure proper forwarding of the data message. There are at least two possible ways to address this problem. In some embodiments, step 1828 may include a cross-reference process determined for any false IDP included in the packet, the true IDP value. For example, the LUT generated in step 1814 may be used for this purpose. If a true value is determined for such an IDP, the switch may use a static ARP table (i.e., the same table used in step 1812) to determine the correct output port for a particular packet. After that, the packet can be directed to the correct output port. Alternatively, a dynamic ARP table may be generated for use in step 1828. The dynamic ARP table can directly identify the correct output port corresponding to the false IDP information contained in the data packet. Other methods are also possible and the invention is not intended to be limited to the two approaches described herein.

At step 1830, a determination is made as to whether the switch has been commanded to power down. If so, the process ends at step 1832; Otherwise, the process returns to (1808). In step 1808 the process continues and the next data packet is accessed from the input data buffer of the switch.

In the process described above, the switch performs a forwarding operation to ensure that a data packet containing a false IDP is still delivered to the appropriate destination node or nodes. In addition to performing such basic forwarding functions, the switch may also be configured to perform dynamic manipulation of the IDP in a manner similar to that described above for the module. Referring again to FIG. 18, the selection step 1824 may include dynamic manipulation of the IDP according to the mission plan and current dynamic network conditions. Operation at step 1824 may be similar to the IDP operation performed by module 105-107, 113, 114 of FIG. 1, as described above. Upon completion of such an operation of the IDP, the process may continue as described above with respect to step 1828, essentially as described above. The forwarding operation may be performed using the current IDP value as manipulated by the switch. In particular, the manipulation task in step 1824 can be toggled on and off selectively according to the mission plan. This process is similar to the bypass mode described above with respect to the module and may facilitate changing the location in the network where the IDP operation is performed. This bypass mode of operation may be performed at steps 1810 and 1812 as described above. Alternatively, step 1824 can be bypassed individually.

In the process as described so far, the IDP was manipulated, but the forwarding protocol was static. In other words, the rules for packet forwarding remain the same over time, and these rules are not affected by changes in the MTT state of the network. The packets are always routed along the same path or paths as they are sent in the default forwarding scenario with a static ARP table. In addition to these static routing methods, the arrangement of the present invention may include dynamic forwarding.

In order to fully understand the concept of dynamic forwarding, it is useful to consider the embodiment. In the default forwarding scenario described above with reference to Figure 18, since this path has the shortest number of hops, the switch 1706 sends a packet destined for the server 1714 (via the Internet or some other public network) Gt; 1710 < / RTI > However, in the dynamic forwarding embodiment of the present invention, the forwarding protocol of each switch and / or router can be dynamically modified such that the manner in which the packet is forwarded by a particular switch / router changes over time (and under different conditions) have. Such a change in forwarding will not be predictable without access to the information specified in the mission plan. Thus, the mission plan may specify, for example, that a packet destined to the server 1714 from time to time is directed directly to the router 1708 instead of the router 1710. The packet is then directed through the Internet (or any other public network) to the switch 1712 and to the final destination (e.g., server 1714). At other times, packets destined for the same server may have different paths. In such an embodiment involving dynamic forwarding, it can be mentioned that the path taken by the packet over the network 1700 is dynamically changed in a pseudo-random manner to block the enemy attempting to monitor the network communication. The dynamic forwarding method described below can be performed using any suitable technique and all such techniques are intended to be included within the scope of the present invention. In addition, the dynamic modification of the forwarding protocol can be performed alone or in conjunction with dynamic modification of the IDP as described above.

It should be understood that the dynamic routing method described herein is not limited to the process described above. In yet another embodiment, a switch operating in accordance with a mission plan may determine multiple executable paths through the network. The switch can split and spread communications across the executable path according to the pseudo-random algorithm defined by the mission plan. For example, referring to FIG. 17, switch 1706 may receive communications split into two packets. When operating in accordance with a mission plan, switch 1706 may send one packet through router 1708 and another packet directly to router 1710. The communication is then reassembled at the destination (e.g., server 1714). In such an embodiment, switch 1706 may change the path that the data packet travels along with the pseudo-random function. Those skilled in the art will recognize that this technique can be tailored to a network comprising many switches and / or routers.

In particular, the dynamic routing process described above may also independently generate one or more of the MTT functions described in connection with FIG. Referring now to FIG. 19, a flow diagram is provided that summarizes the operation of the switch in accordance with one embodiment in which the forwarding protocol used by the router varies according to the mission plan. Process 1900 begins at step 1902 when the switch is powered up and continues to step 1904 where the switch application software is started to execute the method described herein. At step 1906, one or more mission plans are loaded from memory locations in the switch. At this point, the switch is ready to begin processing the data and proceeds to do so in step 1908, where it accesses the data packet received from the input data buffer of the switch. In step 1910, a determination is made as to whether the switch is operating in a dynamic forwarding mode. Otherwise, the process proceeds to step 1912 and the data is sent to the destination host in the path to the default port associated with the next hop. Alternatively, if the switch operates in accordance with the dynamic forwarding mode [1910: YES], the process continues to steps 1914-1918 included in box 1913.

In step 1914, the switch determines a set of executable paths over the network that the data packet can take to reach the destination node. These paths can be determined based on the mission plan. For example, a mission plan can recognize a number of paths a data packet can take over the network so that it can go from one point to another. The switch can determine which of these paths is available according to the currently active mission plan. In step 1916, the single path is selected to send packets based on the pseudorandom selection process defined by the mission plan. An acknowledgment as to the occurrence of the reactive trigger event also occurs in step 1915. As discussed above in connection with FIG. 18, the reactive trigger event determined at step 1915 will trigger an immediate redirection of the current MTT state (e.g., the current state of the false IDP value) at that time. If a path is selected, the data packet is directed to an output port in step 1918 toward an adjacent node specified as the next destination for the packet. In certain embodiments, the mission plan can direct the switch to generate additional noise in the network. In these embodiments, step 1918 also includes sending the packet to one or more additional ports in an effort to fill the network with anomalous packets and to dictate the behavior of the network.

In step 1920, a determination is made as to whether the switch is commanded not to be powered. If so, the process ends at step 1922; Otherwise, the process returns to (1908). At step 1908, the process continues and the next data packet is accessed from the router's input data buffer.

Referring now to FIG. 20, a block diagram of switch 2000 is shown. The switch 200 has at least two data ports 2001, 2002. Each of the data ports 2001 and 2002 may correspond to each of the network interface devices 2004 and 2005. As shown in FIG. 20, the switch 2000 may have a plurality of data ports, each of which connects to another network and / or a computing device. The data received in any one of the ports 2001 is processed in the network interface device 2004 and temporarily stored in the input buffer 2010. [ Processor 2015 accesses input data packets included in input buffer 2010 and performs any necessary routing procedures as described herein (i.e., direction 2 processing 2016). The modified data packet is passed to the output buffer 2012 and then transmitted from the port 2002 using the network interface device 2005. Similarly, the data received at port 2002 is processed at network interface device 2005 and is temporarily stored in input buffer 2008. Processor 2015 accesses input data packets contained in input buffer 2008 and performs any necessary routing procedures as described herein (i.e., direction 1 processing 2014). The modified data packet is passed to output buffer 2006 and then transmitted from port 2001 using network interface device 2004. In each module, dynamic routing of data packets is performed by the processor 2015 in accordance with the mission plan 2020 and / or one or more tables 2022 stored in memory 2018.

In addition to the routing function (and the need to potentially manage the dynamic routing protocol), the operation of the switch 2000 is similar in many respects to that of the modules 105-107, 113, and 114. Still, it can be appreciated that the operation of the switch 2000 is also different in some ways. For example, unlike a module, a switch may never be entirely inactive because it needs to perform at least a conventional forwarding function when the network is active. Still, some of the operation of the switch can be transited between active and inactive modes in a manner similar to a module. For example, the conversion function (step 1824 of FIG. 18) performed by the switch including the dynamic modification of the IDP may transition between active and inactive (bypass) modes. When in the active mode, dynamic modification of the IDP can be performed by the switch. When in inactive or bypass mode, the IDP is not dynamically modified, even though the forwarding function is still active. In particular, the mission plan can use a switch (in a manner analogous to that described above for the module) to change the location at which the IDP operation is performed. Such work may be performed exclusively by one or more switches and / or routers, as shown in FIG. 17, or may be performed in connection with other devices such as modules, bridges, and firewalls. The mission plan used by the switch can be updated in a manner similar to that described herein for the module, except for the conventional forwarding function, which allows the static ARP table to remain active for the time when the new mission plan is loaded have. Alternatively, as described above, loading and activating a new mission plan may cause a trigger event to occur and thereby all data received in the input buffer after the trigger event will be processed using the updated mission plan.

The choice of IDP to be operated by the switch, and the manner in which they are operated, may be similar to the approach described above for the module. For example, selection of IDP and selection of a false IDP value may be determined by a pseudo-random or chaotic process. The process and / or the seed value for such a process are each determined by a mission plan associated with the network. The switch 2000 will change the selection of the IDP value and / or the IDP to be manipulated in accordance with the occurrence of one or more trigger events as described above with reference to the module. These trigger events can be generated as a function of time and can be determined by the occurrence of an event or both of them. Embodiments of the events mentioned herein may include detection of user commands, timing intervals, and potential network security threats, as discussed above.

Variable IDP Type of

Referring now to FIG. 21, a list of portions of the IDP that can be operated by the modules 105-107, 113, 114 and / or by the bridge 115 is provided. Each of the parameters listed in FIG. 21 is included in the data communication included in the network using the TCP / IP communication protocol. Most of the types of information listed in Figure 21 are known to those skilled in the art. However, a brief description of each type of information and its use as an IDP is provided herein. There is also provided a brief discussion of the manner in which each IDP can be manipulated.

IP address. The IP address is a numeric identifier assigned to each computing device participating in a computer network using a known Internet Protocol for communication network. The IP address may be 32 bits or 128 bits. For purposes of the present invention, the number of IP addresses may be changed to a randomly selected false value (e.g., using a pseudo-random number generator). Alternatively, the false IP address value may be randomly selected from a predetermined list of false values (e.g., a list specified by the mission plan). The source and destination IP addresses are included in the header portion of the data packet. Thus, manipulation of these values is performed by simply changing by using a packet manipulation technique that changes the IP header information. When the packet reaches the second module (operable position), the false IP address value is converted back to a true value. The second module uses the same pseudo-random process (or its inverse) to derive the true IP address value based on the false value.

MAC address. The MAC address is a unique value assigned to the network interface device by the manufacturer and stored in on-board ROM. For purposes of the present invention, the source and / or destination MAC address may be changed to a randomly selected false value (e.g., using a pseudo-random number generator). Alternatively, the false MAC value may be randomly selected from a predetermined list of false values (e.g., a list specified by the mission plan). The source and destination MAC addresses are included in the header portion of the data packet. Thus, manipulation of these values is performed by simply changing the Ethernet header information of each packet. When the packet reaches the second module (the position where it can be manipulated), the false MAC address values are converted back to their true values. The module receiving the packet will use the same pseudo-random process (or its inverse) to derive the true MAC address value based on the false value.

Network / Subnet. In some embodiments, the IP address can be thought of as a single IDP. However, the IP address is generally defined as including at least two portions including a network prefix portion and a host number portion. The network prefix portion identifies the network to which the data packet will be forwarded. The host number identifies a particular node within a local area network ("LAN"). A subnetwork (sometimes referred to as a subnet) is the logical part of an IP network. Where the network is divided into two or more subnetworks, a portion of the host number section of the IP address is used to specify the subnet number. For purposes of the present invention, each of the network prefix, subnet number, and host number may be considered to be a separate IDP. Thus, each of these IDPs can be manipulated separately in a pseudo-random manner independently of the others. In addition, it will be appreciated that the data packet will include a source IP address and a destination IP address. Thus, the network prefix, the subnet number, and the number of hosts can be manipulated at the source IP address and / or the destination IP address for a total of six different variable IDPs that can be manipulated in a pseudo-random manner. The module receiving the packet will use the same pseudo-random process (or the inverse of such process) as the originating node to derive the true network / subnet information value based on the false value.

TCP sequence. The two client computers that communicate with each other on the opposite side of the TCP section will each maintain a TCP sequence number. Sequence numbers allow each computer to track how much data it has delivered. The TCP sequence number is included in the TCP header portion of each packet transmitted during the session. At the beginning of a TCP session, the first sequence number value is randomly selected. For purposes of the present invention, the TCP sequence number may be manipulated as an IDP in accordance with a pseudo-random process. For example, the TCP sequence number can be changed to a randomly selected false value (eg, using a pseudo-random number generator). When a packet is received at another module in the network (where it is dynamically changed), the TCP sequence number can be converted from a false value back to a true value using the inverse of the pseudo-random process.

Port number. The TCP / IP port number is included in the TCP or UDP header portion of the data packet. The ports as used in the TCP / IP communication protocol are well known in the art and will therefore not be specifically described herein. The port information is included in the TCP header portion of the data packet. Thus, manipulation of port information is achieved by simply modifying the TCP header information to change the true port value to a false port value. In other IDPs discussed herein, the port number information may be manipulated or converted to a false value in the first module according to a pseudo-random process. The port information may later be converted from a false value to a true value in the second module, using the inverse of the pseudo-random process.

While the invention has been shown and described with respect to more than one implementation, it is evident that many alternatives and modifications will occur to those skilled in the art upon reading and understanding the present specification and the accompanying drawings. In addition, while certain features of the invention may be disclosed for only one of several acts, such a feature may be combined with one or more other features of another act as may be desired and advantageous for any given or particular application . Accordingly, the spirit and scope of the present invention are not limited by any of the above-described embodiments. Rather, the scope of the present invention is defined by the following claims and their equivalents.

Claims (10)

A method for enterprise mission management of a computer network in which node operations are dynamically configurable,
Configuring the computer network using a network management computer (NAC) to operate in accordance with at least one first mission plan of the plurality of mission plans;
Wherein a value assigned for at least one first identification parameter of a plurality of identification parameters having a value contained in a data packet uniquely identifying the hardware and software of at least one computing device communicating data in the computer network is a true value identifying a first pseudo-random process dynamically modified from a true value to a false value by the first mission plan;
Executing the first pseudo-random process at a first computing device that constitutes a first node of the computer network based on the first mission plan;
Determining, in the NAC, whether a first trigger event has occurred in the computer network indicating that a new mission plan needs to be implemented in the computer network;
Acquiring a second mission plan different from the first mission plan among a plurality of mission plans available for the NAC in place of the first mission plan in response to the determination of the occurrence of the first trigger event, Identifying a second pseudo-random process different from the first pseudo-random process, wherein a value assigned to at least one second identification parameter of the identification parameter is dynamically modified from a true value to a false value;
Determining, in the NAC, whether a conflict exists between a processing operation of a second node defined by the second mission plan and a processing operation of the first node defined by the first mission plan;
And configuring the operation of the computer network to further operate according to the second mission plan using the NAC if it is determined that there is no conflict between the processing operation of the second node and the processing operation of the first node step; And
Executing the second pseudo-random process at a second computing device having a second node of the computer network based on the second mission plan,
Wherein the plurality of identification parameters are selected from the group consisting of an IP address, a MAC address, a network / subnet, a TCP sequence or a port number. The method according to claim 1,
The first trigger event
Wherein the determination is based on at least one of packet content communicated within the computer network. The method according to claim 1,
Wherein the second mission plan is obtained by selecting a mission plan from a plurality of pre-stored mission plans based on at least one of the results of analyzing the requirements of the new mission and the operational aspects of the computer network Way. delete The method according to claim 1,
The second mission plan may comprise generating a mission plan dynamically based on at least one of a concept of an operation for a mission, an architecture of the computer network, a relationship between resources of the computer network, and an extent associated with a plurality of identification parameters ≪ / RTI > The method according to claim 1,
Operating the NAC to modify the second mission plan to obtain a third mission plan if it is determined that there is a conflict between the processing operation of the second node and the processing operation of the first node ≪ / RTI > The method according to claim 6,
Determining whether there is a conflict between the operation of the third node defined by the third mission plan and the operation of the first node defined by the first mission plan using the NAC; . ≪ / RTI > 8. The method of claim 7,
And to configure the operation of the computer network to operate in accordance with the third mission plan if it is determined that there is no conflict between the operations of the first and third nodes defined by the first and third mission plans. And operating the NAC. The method according to claim 1,
Using the NAC, determining whether the computer network should continue to operate according to the first and second mission plans; And
Operating the NAC to reconfigure the computer network so that the computer network is no longer operating according to the first and second mission plans if it is determined not to continue operation according to the first and second mission plans ; ≪ / RTI > A network management computer (NAC) communicatively coupled to a computer network comprised of a plurality of computing devices,
The NAC includes:
Wherein a plurality of computing devices associated with the computer network operate in accordance with a first of the plurality of mission plans, the first mission plan comprising at least one of a plurality of computer processing devices having a first node of the computer network One by one, based on the first mission plan, a value assigned for at least one first identification parameter of the plurality of identification parameters is dynamically modified from a true value to a false value, Wherein the plurality of identification parameters are configured to have a value contained in a data packet uniquely identifying the hardware and software of at least one computing device communicating data in the computer network;
Configured to determine that a first trigger event has occurred in the computer network indicating that a new mission plan needs to be implemented within the computer network;
Acquiring a second mission plan different from the first mission plan among a plurality of mission plans available in place of the first mission plan in response to the determination of the occurrence of the first trigger event, A value assigned to at least one second identification parameter of the plurality of identification parameters is dynamically modified from a true value to a false value by at least a second one of the plurality of computer processing devices having two nodes, A first pseudo random process different from the first pseudo random process;
Determine whether there is a conflict between the operation of the second node defined by the second mission plan and the operation of the first node defined by the first mission plan; And
Wherein the operation of the computer network is further configured to operate according to the second mission plan when it is determined that there is no conflict between the operations of the first and second nodes as defined by the first and second mission plans. ;
Wherein the at least one identification parameter is selected from the group consisting of an IP address, a MAC address, a network / subnet, a TCP sequence or a port number.

Images